Kerberos, PACs And Microsoft's Dirty Tricks

Chris DiBona wrote to us with something that Ted and Jeremy (Samba Boys) wrote: "Microsoft, after getting beat up in the press for making propietary extensions to the Kerberos protocol, has released the specifications on the web -- but in order to get it, you have to run a Windows .exe file which forces you agree to a click-through license agreement where you agree to treat it as a trade secret, before it will give you the .pdf file. Who would have thought that you could publish a trade secret on the web?" Read more from the Samba Team below.

The critical part of the license states:

• "b. The Specification is confidential information and a trade secret of Microsoft. Therefore, you may not disclose the Specification to anyone else (except as specifically allowed below), and you must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information, to keep the Specification confidential. If you are an entity, you may disclose the Specification to your full-time employees on a need to know basis, provided that you have executed appropriate written agreements with your employees sufficient to enable you to comply with the terms of this Agreement.

This is course is a very clever way to pretend to distribute the spec, whilst making it completely impossible to implement in competiting implementations which implements their propietary protocol extensions --- extensions to a protocol which was originally published by the Kerberos team as an Open Standard in the IETF. This completely defeats the IETF's interoperability goals, and helps Microsoft leverge their desktop monopoly into the server market.

The one good thing about Microsoft having pulled this dirty trick is that it makes their propietary intentions about the Windows 2000 PDC clear as day. I doubt anyone else could come up with a charitable explanation for what they've done. What a better example of Microsoft's "embrace, extend, and engulf" business model!

Jeremy Allison,
Samba Team.

Theodore Ts'o,
(former) Kerberos Development Lead "

Re:Double Blind Reverse Engineer

The first person, who writes the spec, usually does it by reverse-engineering some software. He recreates a spec.

What if he uses a spec as his source? Some people might say that his spec is a derivative work, and a copyright violation.

So, the way I see it, we want a triple-blind. One person reads Microsoft's spec and creates an implementation. Then another person looks at the implementation and creates a spec. Then the third person creates the legal implementation.

Damn, none of this makes any sense. No wonder lawyers make money.

Re:Doesn't matter.

Wait, I'm a minor, I own LOTS of software, and I have heard for years that those liscences apply to me, and that yes, I can be arrested for violating them. Now you're saying that as a minor the liscences don't apply to me? Or that in some way I don't have the ability to use agreements on software? Wouldn't that de-validate any software I've written under GPL and make it free-reign?

A Strange Idea

IANAL, yadda yadda yadda.

(Forget the whole Winzip idea for a moment...)

If Microsoft had just made the PDF available in such a way that one had to make an agreement with Microsoft, then maybe the license would have teeth.

Well, it just occurred to me: I didn't have to agree to anything to download that EXE file. But nevertheless, Microsoft owns the copyright on that EXE file. It's just that without a license, I don't have any extra rights beyond whatever comes by default.

But I have the right to run that program.

The program outputs a PDF. Here's my idea: Microsoft didn't write that PDF, their program did. That PDF is just output from some weirdo statistical process (decompression). Does the author of the program own the copyright on the program's output? If I have a copyright "hello world" program, do I then also own the copyright on its "hello world" output? If that's the case, then I suspect the first million digits of pi are copyrighted.

This reminds me of something that Knuth was doing with recipes.

Re:A Strange Idea

[Old+Wolf]

Great idea!

In fact - how can MS have a copyright on any of their Windows code? It's just the output of Visual C++.
What's more, Linus didn't even write the Linux kernel, vi did. Vi isnt gonna defend itself in court (and if it tried, nobody would understand ;) ), so I guess that's the end of GPL.

Thanks for pointing this out!

Here is the text of the document...

Do with it what you will.
--Anonymous Coward

Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000 Operating Systems
April, 2000

Abstract

Microsoft Windows 2000 includes OS specific data in the Kerberos V5 authorization data field that is used for authorization as described in the Kerberos revisions Internet Draft [1]. This data is used for user logon and to create an access token. The access token is used by the system to enforce access checking when attempting to reference objects. This document describes the structure of the Windows 2000 specific authorization data that is carried in that field.

Top-Level PAC Structure

The PAC is generated by the KDC under the following conditions:
"during an AS request that has been validated with pre-authentication
"during a TGS request when the client has no PAC and the target is a service in the domain or a ticket granting service (referral ticket).

The PAC itself is included in the IF-RELEVANT (ID 1) portion of the authorization data in a ticket. Within the IF-RELEVANT portion, it is encoded as a KERB_AUTH_DATA_PAC with ID 128.

The PAC is defined as a C data type, with integers encoded in little-endian order. The PAC itself is made up of several layers. The outer structure, contained directly in the authorization data, is as follows. The top-level structure is the PACTYPE structure:

typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
ULONG cBuffers;
ULONG Version;
PAC_INFO_BUFFER Buffers[1];
} PACTYPE;
The fields are defined as follows:
cBuffers - contains the number of entries in the array Buffers
Version - this is version zero
Buffers - contains a conformant array of PAC_INFO_BUFFER structures
The PAC_INFO_BUFFER structure contains information about each piece of the PAC:
typedef struct _PAC_INFO_BUFFER {
ULONG ulType;
ULONG cbBufferSize;
ULONG64 Offset;
} PAC_INFO_BUFFER;

Type fields are defined as follows:
ulType - contains the type of data contained in this buffer. For Windows 2000, it may be one of the following, which are explained further below:
#define PAC_LOGON_INFO 1
#define PAC_CREDENTIAL_TYPE 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10

Offset - contains the offset to the beginning of the data, in bytes, from the beginning of the PACTYPE structure. The data offset must by a multiple of 8. If the data pointed to by this field is complex, the data is typically NDR encoded. If the data is simple (indicating it includes no pointer types or complex structures) it is a little-endian format data structure.

PAC Credential Information
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
UNICODE_STRING EffectiveName;
UNICODE_STRING FullName;
UNICODE_STRING LogonScript;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved[4];
UNICODE_STRING LogonServer;
UNICODE_STRING LogonDomainName;
PSID LogonDomainId;
ULONG Reserved1[2];
ULONG UserAccountControl;
ULONG Reserved3[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;

The fields are defined as follows:
LogonTime - the time the client last logged on.
LogoffTime - the time at which the clients logon session should expire. If the logon session should not expire, this field should be set to (0x7fffffff,0xffffffff).
KickOffTime - the time at which the server should forcibly logoff the client. If the client should not be forced off, this field should be set to (0x7fffffff,0xffffffff). The ticket end time is a replacement for the
KickOffTime. The service ticket lifetime will never be longer than the KickOffTime for a user. PasswordLastSet - the time the clients password was last set. If it was never set, this field is zero.
PasswordCanChange - the time at which the clients password is allowed to change. If there is no restriction on when the client may change its password, this field should be set to the time of the logon.
PasswordMustChange - the time at which the clients password expires. If it doesnt expire, this field is set to (0x7fffffff,0xffffffff).
EffectiveName - This field contains the clients Windows 2000 UserName, stored in the Active Directory in the SamAccountName property. This field is optional. If left blank the length, maxlength and buffer are all zero.
FullName - this field contains the friendly name of the client, which is used only for display purpose and not security purposes. This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonScript - This field contains the path to the clients logon script. This field is optional. If left blank the length, maxlength and buffer are all zero.
ProfilePath - This field contains the path to the clients profile. This field is optional. If left blank the length, maxlength and buffer are all zero.
HomeDirectory - This field contains the path to the clients home directory. It may be either a local path name or a UNC path name. This field is optional. If left blank the length, maxlength and buffer are all zero.
HomeDirectoryDrive - This field is only used if the clients home directory is a UNC path name. In that case, the share on the remote file server is mapped to the local drive letter specified by this field. This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonCount - This field contains the count of how many times the client is currently logged on. This statistic is not accurately maintained by Windows 2000 and should not be used.
BadPasswordCount - This field contains the number of logon or password change attempts with bad passwords, since the last successful attempt.
* UserId - This field contains the relative Id for the client.
PrimaryGroupId - This field contains the relative ID for this clients primary group.
* GroupCount - This field contains the number of groups, within the clients domain, to which the client is a member.
* GroupIds - This field contains an array of the relative Ids and attributes of the groups in the clients
domain of which the client is a member.
* UserFlags - This field contains information about which fields in this structure are valid. The two bits that may be set are indicated below. Having these flags set indicates that the corresponding fields in the KERB_VALIDATION_INFO structure are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonServer - This field contains the NETBIOS name of the KDC which performed the AS ticket request.
LogonDomainName - This field contains the NETBIOS name of the clients domain.
* LogonDomainId - This field contains the SID of the clients domain. This field is used in conjunction with the UserId, PrimaryGroupId,and GroupIds fields to create the user and group SIDs for the client.
UserAccountControl - This fields contains a bitfield of information about the clients account. Valid values are:
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)

* SidCount - This field contains the number of SIDs present in the ExtraSids field. This field is only valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ExtraSids - This field contains a list of SIDs for groups to which the user is a member. This field is only valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ResouceGroupCount - This field contains the number of resource groups in the ResourceGroupIds field. This field is only valid if the LOGON RESOURCE_GROUPS flag has been set in the UserFlags field._
* ResourceGroupDomainSid - This field contains the SID of the resource domain. This field is used in conjunction with the ResourceGroupIds field to create the group SIDs for the client.
* ResourceGroupIds - This field contains an array of the relative Ids and attributes of the groups in the resource domain of which the resource is a member.

Fields marked with a '*' are used in the NT token.

When used in the KERB_VALIDATION_INFO, this is NDR encoded. The FILETIME type is defined as follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;

Times are encoded as the number of 100 nanosecond increments since January 1, 1601, in UTC time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The UNICODE_STRING structure is defined as:

typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
} UNICODE_STRING;

The Length field contains the number of bytes in the string, not including the null terminator, and the MaximumLength field contains the total number of bytes in the buffer containing the string. The GROUP_MEMBERSHIP structure contains the relative ID of a group and the corresponding attributes for the group.

typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;

The group attributes must be:
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;

The constant value for the NT Authority is:

#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
} SID, *PSID;

The SubAuthorityCount field contains the number of elements in the actual SubAuthority conformant array. The maximum number of subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and their corresponding attributes:

typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;

The attributes are the same as the group attributes defined above.

Client Information

The client information is included in the PAC to allow a server to verify that the PAC in a ticket is applicable to the client of the ticket, which prevents splicing of PACs between tickets. The PAC_CLIENT_INFO structure is included in a PAC_INFO_BUFFER of type PAC_CLIENT_INFO_TYPE.

typedef struct _PAC_CLIENT_INFO {
FILETIME ClientId;
USHORT NameLength;
WCHAR Name[1];
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;

The fields are defined as follows:

ClientId - This field contains a conversion of the AuthTime field of the ticket into a FILETIME structure.
NameLength - This field contains the length, in bytes, of the Name field.
Name - This field contains the client name from the ticket, converted to Unicode and encoded using "/" to separate parts of the client principal name with an "@" separating the client principal name from the realm name. The string is not null terminated.

Supplemental Credentials

The KDC may return supplemental credentials in the PAC as well. Supplemental credentials are data associated with a security package that is private to that package. They can be used to return an appropriate user key that is specific to that package for the purposes of authentication. Supplemental creds are only used in conjunction with PKINIT[2]. Supplemental credentials are always encrypted using the client key. The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to encrypt the KDCs reply to the client. The PAC_CREDENTIAL_INFO structure is included in PAC_INFO_BUFFER of type PAC_CREDENTIAL_TYPE. Supplemental credentials for a single package are NDR encoded as follows:

typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
[size_is(CredentialSize)]PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;

The fields in this structure are defined as follows:

PackageName - This field contains the name of the package for which credentials are presented.
CredentialSize - This field contains the length, in bytes, of the presented credentials.
Credentials - This field contains a pointer to the credential data.
The set of all supplemental credentials is NDR encoded in a PAC_CREDENTIAL_DATA structure:

typedef struct _PAC_CREDENTIAL_DATA {
ULONG CredentialCount;
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
} PAC_CREDENTIAL_DATA, *PPAC_CREDENTIAL_DATA;

The fields are defined as follows:

CredentialCount - This field contains the number of credential present in the Credentials array.
Credentials - This field contains an array of the presented supplemental credentials. The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to encrypt the KDC reply. The resulting buffer is returned in the following structure:
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR Data[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;

The fields are defined as follows:
Version - This field contains the version field of the key used to encrypt the data, or zero if the field is not present.
EncryptType - This field contains the encryption type used to encrypt the data. The encryption type uses the same values as the defined encryptions types for Kerberos [1].
Data - This field contains an array of bytes containing the encrypted supplemental credential data.

Signatures

The PAC contains two digital signatures: one using the key of the server, and one using the key of the KDC. The signatures are present for two reasons. First, the signature with the servers key is present to prevent a client from generating their own PAC and sending it to the KDC as encrypted authorization data to be included in tickets. Second, the signature with the KDCs key is present to prevent an untrusted service from forging a ticket to itself with an invalid PAC. The two signatures are sent in PAC_INFO_BUFFERs of type PAC_SERVER_CHECKSUM and PAC_KDC_CHECKSUM respectively.

The signatures are contained in the following structure:

typedef struct _PAC_SIGNATURE_DATA {
ULONG SignatureType;
UCHAR Signature[1];
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;

The fields are defined as follows:

SignatureType - This field contains the type of checksum used to create a signature. The checksum must be a keyed checksum.
Signature - This field consists of an array of bytes containing the checksum data. The length of bytes may be determined by the wrapping PAC_INFO_BUFFER structure.

For the servers checksum, the key used to generate the signature should be the same key used to encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the servers TGT should be used. The Key used to encrypt ticket-granting tickets is used to generate the KDCs checksum.

The checksums are computed as follows:

1. The complete PAC is built, including space for both checksums
2. The data portion of both checksums is zeroed.
3. The entire PAC structure is checksummed with the servers key, and the result is stored in the servers checksum structure.
4. The servers checksum is then checksummed with the KDC's key.
5. The checksum with the KDC key is stored in the KDC's checksum structure.

PAC Request Pre-Auth Data

Normally, the PAC is included in every pre-authenticated ticket received from an AS request. However, a client may also explicitly request either to include or to not include the PAC. This is done by sending the PAC-REQUEST preauth data.

KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN -- if TRUE, and no PAC present,
-- include PAC.
---If FALSE, and PAC
-- present, remove PAC
}

The fields are defined as follows:
include-pac - This field indicates whether a PAC should be included or not. If the value is TRUE, a PAC will be included independent of other preauth data. If the value is FALSE, then no PAC will be included, even if other preauth data is present.

The preauth ID is:

#define KRB5_PADATA_PAC_REQUEST 128

References
1 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network Authentication Service (V5)", draft-ietf-cat-kerberos-
revisions-05.txt, March 10, 2000
2 Tung, B., Hur, M., Medvinsky, A., Medvinsky, S., Wray, J., Trostle, J., " Public Key Cryptography for
Initial Authentication in Kerberos", draft-ietf-cat-kerberos-pk-init-11.txt, March 15, 2000


HTML and formatting errors are mine (Anonymous Coward's).

They're Up!

Okay, the docs are up now, sooner than I thought. It's available in PDF, MS Word 97 DOC, RTF, TXT, and HTML. Or for a dir listing rather than direct links:

http://members.xoom.com/MSKerberos/

Re:Is "Kerberos" trademarked?

The name can be trademarked, the protocol itself open.

What a Bunch of Whiners you guys are!

The purpose of publishing the spec is NOT to make it an open standard and they don't even CLAIM it is.

The Kerberos spec specifically ALLOWS extensions of this nature.

The spec is made available for reviewers to comment on and to ensure it fits with the LETTER AND SPIRIT of the Kerberos spec. If any of you actually bothered to read the webpage, this would be obvious to you.

And I completely fail to get what the whining about not allowing the spec to be disclosed is all about. It is neither claimed to be nor intended to be an open standard. You don't have to read it.

I'm tired of reading all the stupid standard whines, including the mandatory phrase: "leverage its monopoly power" used in the article. This post isn't intended to be a troll. It's just a post from someone tired of reading idiotic form-letter MS-bashing posts.

Re:What a Bunch of Whiners you guys are!

[Steeltoe]

Excuse me, but we have every right to state our honest opinion in this forum. If you can't stand whining, then stay away from these topics. People like you let the Third Reich arise in the 30's.

No I'm not saying we're so much better, but it never hurt anybody to let off steam in the longer run.

- Steeltoe

what's the fud'din difference?

ok, I am a typical computer user with no opinion on the DoJ Microsoft case, other than the fact that it makes my stock less valuable. Then I read this and say, "wow Microsoft is doing bad things! They must be punished!" Nevermind that this writeup exhibits no impartiality in its attempts to paint Microsoft in a bad light. Why is this FUD any different from that that comes from Microsoft?

And while we are at it, so what if Microsoft releases a proprietary extension to Kerberos? If they want to provide the work that will allow Windows/Kerberos operation to proceed in a different manner who is to stop them? The Open Source community rallies around the idea that software, code is free for all to see, take it modify it test the limits of what you can do with it. But Microsoft can't add to it and charge for it? Well, when Linux completely supports every Microsoft specific protocol (ActiveX, MS Java, etc.) then maybe you can demand that Microsoft conform its software for everyone else.

never thought I would say this but bring that bitch Jamie back with her ridiculous 'privacy threatened' posts, at least they were fresh and not the same recycled Linux-FUD like this.

Re:what's the fud'din difference?

[nelsonrn]

Jamie is male. What else is wrong in your post? Readers beware.
-russ

Re:what's the fud'din difference?

[toaster13]

Hey jackass, maybe linux would be ActiveX and MS Java compatible if we could get the fucking code! I don't know if you realize this but in order to create those things called "software" that interact with each other, you need to know how they interact! Its not magic (contrary to popular belief). M$ would have to release the code to give us a chance. Besides, why would Linux impliment broken/security risk software like ActiveX and MS Java?

Re:what's the fud'din difference?

[DJerman]

How about if I said, "I baked a great lemon pie! I'll give you the recipie!" Then I send you a recipie for a good pie, with a legal agreement that says you can't share it, or use it, oh and by the way, it's not really lemon, it's artificially flavored, but you can't tell anyone.

That's what MS is up to. They're offering you the recipie so that they can advertise (falsely) "lemon pie, with recipie".

IANAL, and neither are you.

Trade Secret theft is a federal offense. Read about it here . Here's the scary part:

Section 1832 of the Act makes it a federal criminal act for any person to convert a trade secret to his own benefit or the benefit of others intending or knowing that the offense will injure any owner of the trade secret. The conversion of a trade secret is defined broadly to cover every conceivable act of trade secret misappropriation including theft, appropriation without authorization, concealment, fraud artifice, deception, copying without authorization, duplication, sketches, drawings, photographs, downloads, uploads, alterations, destruction, photocopies, transmissions, deliveries, mail, communications, or other transfers or conveyances of such trade secrets without authorization.

GET YOUR MIRROR HERE!

The Microsoft Kerberos specification, now available in the original, untouched PDF format, as well as the followig formats with the copyright and NDA-type notices removed:

• HTML
• Rich Text
• Plain Text
• MS Word 97 DOC

Get it here: http://members.xoom.com/MSKerberos/

Re:Kerberos? Isn't it Cerebus?

From: comp.protocols.kerberos FAQ

http://www.nrl.navy.mil/CCS/people/kenh/kerberos -faq.html#cerberus

Subject: 1.3. Hey! I remember my Greek mythology, and I thought the dog that guarded the entrance was called Cerberus! What gives?
I personally wonder about this myself. I have seen references in "The Devil's Dictionary" that claim it is Kerberos, but when I checked this myself I only found the "Cerberus" variant.

I never actually heard of the "Kerberos" spelling/pronunciation until I got involved with Kerberos myself.

From: Tom Yu

"Cerberus" is the Latin spelling of the Greek "Kerberos", and according to the OED is pronounced like "serberus", but that is quite at odds with the Greek, as the initial consonant is a "k". MIT Project Athena chose to use the Greek spelling and pronunciation.
From: Jan Sacharuk

Tom Yu is correct, Cerberus is the Latin spelling. However, the fact that the OED says that the 'c' is pronounced as an 's' is an English affectation. In Latin, the letter 'c' is always hard. So Cerberus is pronounced 'Ker-ber-ous'. The letter 'u' is also slightly different, making it somewhere in between 'oos' and 'ous'.

Re:Is "Kerberos" trademarked?

If they're not conformant with a open and trademarked standard, they should not be allowed to say they are.

How interesting! The interestingness of this is very interesting. It is interesting you came to this interesting conlusion.Interestingly, you point out that they should not be allowed to say they are open. I came to the same interesting conclution. Interesting.

Actually, even if it's not trademarked, I wonder if you could sue them for fraudulently misleading the customer into believing the OS will work seamlessly in their existing Kerberos network.

Once again, you bring up an interesting point. And that point, my interesting friend, is very interesting. It is interesting to find interesting minds on this interesting site. Moderators, mark the parent "Interesting".

Re:Defeating Trade Secrets 101:

[hadron]

And the reason why the GPL does that according to RMS is that he also believes that isn't "perfeclt legal for me to create a proprietary program that relies on some copyrighted shared library".

Whether he's right or not doesn't matter - the GPL does not impose additional restrictions beyond those imposed by copyright law. Maybe some of it cannot be enforced, due to certain restrictions not being imposed by copyright law, but that's an issue that has no precedent, so RMS's stand is perfectly reasonable.

Re:Defeating Trade Secrets 101:

[hadron]

The trade secret cannot be copyrighted, but the document that expresses it can be.

No you dont !!!

[mAIsE]

If you have WinZip on your computer you do not need to double click the exe to open it. You can right click in windows and extract it!

I didn't double click any license agreement does this mean I am free to go ahead with my specifications?

Re:No you dont !!!

[mAIsE]

http://maise.penguinpowered.com/kerbspec.ps

Re:Defeating Trade Secrets 101:

[DunbarTheInept]

But in this case it was distributed in such a way that the existence of the license is not neccessarily obvious. Taking a self-extracting archive and extracting it with a tool like Winzip is something that you might have done anyway without even knowing the license is there. Someone could use this as thier defence. The company has to make a good effort to publicise the details of the license. You can't be held to a license that is buried away hidden somewhere you aren't likely to look. They have to be displayed prominently.

Re:Is "kerbspec.exe" booby-trapped?

[extra88]

Are you trying to be funny or just fighting FUD with FUD?

Re:It's just proof

[pb]

Are you accusing Bill Gates of having a God Complex? I'm sure no one else would think him to be capable of such a thing!

I agree, whatever his problem is, he's certainly deluded if he thinks that DOS pushed the industry FORWARD. Maybe he's just dyslexic...
---
pb Reply or e-mail; don't vaguely moderate.

Re:Microsoft Instant Messenger

[demon]

Exactly. I've said it before - the only time Microsoft cares about "standards" is when they decide they're not getting all the market share they deserve. But then when they HAVE the market share they want (read: the majority, or all of it), then they bastardize the standards and lock users in.

And people wonder why we're saying behavioral remedies won't work on Microsoft?

Fight fire with fire?

[jamus]

Shouldn't we now start putting licences on specifications now? Something along the lines of:

By implementing this standard you agree to acknowledge the use of this standard. You must do one of the following:

• Implement the standard fully
• Extend specifications as long as modifications are published with no further limitations and submitted to owers of this standard. Extensions must not prohibit interoperability with a system that implements the standard fully.

IANAL, but wouldn't this help prevent the "embrace & extend"?

Re:Trade Secrets only as long as they're secret...

[Sabalon]

On the other hand, what's the big deal? If no one uses Microsoft's extensions, it's a non-issue.

That's nice in a perfect world, but if you want Kerberos and MS Kerberos to work together, you're screwed.

Re: Greek letters

[KnightStalker]

The Greek chi is an "X" shaped letter that evolved into our "X" (and is pronounced like a hard aspirated "ch"). Similarly, the Greek kappa is a "K" shaped letter that evolved into our "K" (and is pronounced the same).

Re:Loophole?

[juhtolv]

Maybe few gorillas of Microsoft will knock on your door very soon. :-)

Re:Kerberos? Isn't it Cerebus?

[dangermouse]

I'm so glad someone finally got this right. Both the Latin explanation and the "Cerebus" reference. ;)

Really Dirty.

[jonabbey]

I completely agree with Ted here. Microsoft has obviously crafted this whole release as a booby trap/propaganda tool, nothing more. After all, of what use is this information, for any purpose other than attempts at implementation? Simply knowing what the data fields contain doesn't let you do any thing remotely resembling a proper security audit on their extension.

With this release, Microsoft is taking advantage of the fact that slashdot has no legal department to say 'hands off!'. All Microsoft has to do is to 'release' stuff like this and watch the fun as all of us open source fanboys get stirred up in reaction to it.

To me, the most offensive thing about Microsoft is their propensity for propaganda. Microsoft works very, *very* hard to portray reality in some very unintuitive ways, and this 'release' is more of the same doublethink. Ignorance is Strength, Slavery is Freedom, Microsoft is Open.

And why do you think Msoft used noneditable PDF?

[jonabbey]

I wouldn't be surprised if they used PDF rather than .DOC or .TXT so that someone couldn't just edit the file, remove the restriction declarations, and redistribute to innocents.

I bet you'd have a hard time finding a PDF file anywhere else on the Microsoft web site.

Re:Ignore Microsoft's release, don't break license

[jonabbey]

Certainly it would be up to a judge to set precedent on an issue like this.. my point was that a lawyer would be able to tell you whether such precedent had already been set in the past, or whether the applicable laws as written and as adjucated in the precedents would give a likelihood of being able to successfully contest the legality of this.

More power to those who wish to get sued over this to give this thing a test. I just feel it probably shouldn't be the Samba team, say. Not unless some lawyer does say 'we can take them!' and not unless some nice company is willing to pay the Samba team's legal bills.

Re:Get around the license ... ?

[Rob+Wilderspin]

So if you get your ilttle brother to steal a car and then drive around in it yourself, you can't be done for anything? Good luck, mate!

Trade Secrets, Copyrights and Australian Law

[mabs]

Well, as far as I see, with all the comments people have made and how I understand the Australian Copyright Law (I could be wrong..), but, there is a hole in the law that states that you are alowed to reverse engineer anything, for reasons of interoperability...

I am not 100% sure, about how it exactly applies to the documents that have been released, but, maybe an aussie could legally build interoperability into current versions of Kerberos...

Stunning... and therefor terrifying!

[Eck]

That's not the end of their continued dirty tricks. It's almost as if they're stepping up every kind of nastiness to make up for lost time!

There are reports like these cropping up. Like any publisher, Micro~6 doesn't like the resale market. Unlike some, they're in a position to bully small resellers out of business.

Re:OUCH! Check this out...

[Virtex]

Really? I think I'm going to send M$ some emails with the following message at the end of each:

"By receiving this email, you agree to send me one million dollars"

And see how much money they send me. I bet it won't be much (i.e., $0).

--

The answer is simple

[jjohn]

problem: M$ published the specs, but the user needs to agree to a license to see the specs

solution: The samba team uses the specs, implements them. End users of samba then
get the same M$ package with the same agreement,
whether they want to see the code or not. The whole world thus agrees to keep M$'s stoopid propriatary horse-poop a secret.

You know, for a company in fast decline, I don't know why they aren't scrambling to win back developers. I suppose it is too late to save poor old Microshaft. They are now irrelevant. I suppose we should send a win2K box to that Obsolete Computer Museum. :-)

Re:The answer is simple

[Graymalkin]

Uh, how do you figure M$ is irrelevant? 89% some percent of people still use their OS on their personal computers and they make billions of dollars a year. I haven't seen them lose any developers. As a matter of fact a company around here just signed a juicy deal with M$ to provide them with biometric reading software thats going to be in the next couple versions of Windows.

Re:The license is still all over the damn thing

[cpt+kangarooski]

Wouldn't it just be funny if a court eventually decided that there's no such thing as a public trade secret?

No, it would be sensible. Hopefully they'll do it.

Security review requires implementation

[bill_mcgonigle]

Can anyone tell me how I'm supposed to conduct a proper security review of a protocol without doing an implementation? Point 1: There's no proof the Microsoft client (binary) is implemented according to this spec. (granted this might make the review questionable from the start) so I must do an independent implementation to be certain. Point 2: A protocol should be secure independent of hardware/OS platform. Testing this requires an implementation, unless Microsoft intends to provide a client binary for each machine/OS it might be run on. See also point 1.

How Can This Still be a Trade Secret?

[codermotor]

After all, it is now virtually public information. Anyone with access to a Web browser can get this document.

I would think that making the spec publically available to anyone in the world (through a globally accessible medium: the Internet) would invalidate any portion of the license which requires the "licensee" to limit access to the document.

It is contradictory for M$ to release information within a global forum accessible to anyone, but then to require others to limit access to the same material.

It's no longer secret; M$ released the information itself - it wasn't leaked or stolen; it was done publically; it was done globally; it was done purposefully: it's no longer a trade secret.

I suppose M$ is within its rights to limit the use of the information in any commercial way, but what is to stop anyone from implementing the effects of the spec in a different, but compatible manner? Isn't that what Samba does - implements SMB without using M$'s proprietary code?

And this is an interface specification, yes? Is it illegal to implement or make use of an interface? It's not code, per se.

The specific brand name electrical outlets in my house are probably protected under some intellectual property laws, but I need not obtain either a license or permission from the manufacturer to plug any device into that outlet. I am not restricted to using only appliances made by, or authorized by, the maker of the electrical outlet.

I really think Microsoft is trying to make up its own laws here (again).

Re:Trade secret == open season

[dwdyer]

The click-through license is still a problem. The license clearly states:

a. Provided that you comply with all terms and conditions of this Agreement, including without limitation subsections (b)-(d) below, Microsoft grants to you the following non-exclusive, worldwide, royalty-free, non-transferable, non-sublicenseable license, under any copyrights or trade secrets owned or licensable by Microsoft without payment of consideration to unaffiliated third parties, to reproduce and use a reasonable number of copies of the Specification in its entirety for the sole purpose of reviewing the Specification for security analysis. By way of clarification of the foregoing, the Specification is provided to you solely for your informational purposes (for review as specified above) and, pursuant to this Agreement, Microsoft does not grant you any right to implement this Specification.

(emphasis added)

So you can look, but you can't implement.

Re:The license is still all over the damn thing

[JPelorat]

Funny as in ironic. I'd like to see it happen too - that's why I said something about it.

Re:The license is still all over the damn thing

[JPelorat]

Hehe, that's pretty creative.. there is, however, another discussion going on in this thread regarding the structural soundness of distributing trade secrets under a common license for anyone to pick up and agree to. Wouldn't it just be funny if a court eventually decided that there's no such thing as a public trade secret?

Re:Loophole?

[lithis]

you must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information

it says reasonable security precautions, though.

Re:Oh

[unitron]

Either that or they just got fed up with your inability to spell the name of the company and the product.

Re:The license is still all over the damn thing

[hobbit]

I'll email it to you, my friend.

Hamish

Re:How to bypass the pop-up

[Phil+Wilkins]

IIRC there's a CAB viewer in the Win95 plus pack. So by extending your argument another stage, this makes Windows illegal.

Excellent!

Re:OUCH! Check this out...

[Dagmar+d'Surreal]

That does not stand the least little bit of a chance to stand up in court.

For example...

The following phrase is a trade secret of me:

"Rubber baby buggered bindles"

Viewing of this phrase outside this message by persons other by myself is subject to a mandatory licencing fee of $5.00. You now owe me $5.00.
Cough it up you hippie.

Something is either patented, trademarked, or FAIR GAME once discovered.

Re:Loophole?

[ToiletDuk]

The real question is, has anyone arranged to have the source code broadcast at 1 frame per second on Austrailian Television?
:)

• _____
• 
  ToiletDuk (58% Slashdot Pure)

Re:Get around the license ... ?

[ToiletDuk]

Hypothetical situation: If an underaged orphan with good coding skills joined the samba team, downloaded the source code, agreeing to the non-legally-binding agreement, and used it to add the functionality (if you can call it that) to samba, would anyone be prosecuted?

• _____
• 
  ToiletDuk (58% Slashdot Pure)

Re:Loophole?

[markb]

That's what I did. I just dragged that EXE over to a WinZip window, and extracted the PDF. So, as far as I know, there is no license agreement.

Re:Defeating Trade Secrets 101:

[Zagadka]

Fine. But my point is that with normal copyright, I can distribute works that rely on someone else's shared library.

No you can't -- unless given permission to distribute something, copyright does not allow you to distribute it, incorporate it into another program, whatever. You can't take a .dll (dynamic library) from a commercial Windows program, include it in your program, and then distribute that program.

Did you fail reading comprehension? Read again where I said:

If I wanted to, I could write a program that relied on some other company's shared library, and I could sell tht program (and yes, distribute it). As long as I don't include the copyrighted library itself then copyright won't restrict me from doing that.

And yes, it was bold in the original post too.

Re:Defeating Trade Secrets 101:

[Zagadka]

As I understand it, you can create a proprietary work that does not itself contain the shared library. If the library is proprietary, the customer is responsible for getting his own copy. If the library is GPL, the customer can get his own copy, or you can supply the customer with the GPL'd library, including source if asked.

RMS doesn't think so. RMS has made it pretty clear that he thinks that things that link with shared libraries are "derivative works", and so are subject to the restrictions of the GPL. So RMS believes that the situation you're describing is not allowed by the GPL.

He could be wrong though. I believe (though IANAL, so I'm not 100% certain) that plain old copyright alone would allow the above. Whether GPL can actually legally do things "beyond copyright" is another issue. I don't know if it can. (Microsoft's EULA's certainly tries to do things beyond plain copyright.) My point is that RMS's intent is for GPL to be more restrictive than I believe normal copyrighted works actually are.

Incidently, the situation you describe is explicitely allowed by LGPL.

Re:Defeating Trade Secrets 101:

[Zagadka]

Now the GPL claims that a program which uses a library is a derived work of that library, but if this turns out not to be true (it's not been tested in court AFAIK) then that section of the GPL doesn't carry any weight.

Maybe the case. My point is that the intent of the GPL is to be restrictive in a way that copyright actually isn't (AFAIK). Whether this is actually possible or not, I don't know.

In particular, it's perfectly legal for me to create a proprietary program that relies on some copyrighted shared library (.dll, .so, whatever-your-OS-uses) made by someone else.

Are you sure? Without the permission of whoever wrote the library? Have a look at the files for Microsoft Office, pick a DLL at random and distribute your own program linking with that DLL. See what happens.

No, I'm not 100% sure. There is a precedent though. A lot of emulators (Mac emulators, Amiga emulators, dosemu, video game emulators) require that the user get some software, usually ROMS or a "boot disk", from the system to be emulated. The emulator then does something that isn't significantly different from "dynamic linking" with this code. I haven't heard of anyone getting sued about this. Even if copyright law doesn't explicitly allow this, I doubt that any proprietary software author would pursue the issue, since they're getting paid for their work in any case.

As for linking with DLL's from MS Office, that's essentially done by any application that embeds Excel or Word OLE objects. One could probably argue that that was explicitely allowed by Microsoft though.

Another interesting example: Suppose someone documented the interface of libreadline (which is GPL) and placed this on the web. Now suppose someone else who had never even heard of GPL saw this documentation, and produced (and distributed) a proprietary closed-source program that called the documented libreadline interface. They've now violated the intent of the GPL. I'm reasonably certain they haven't broken copyright law (but of course, IANAL). Perhaps, by being a "licence agreement", GPL is able to do things independent of copyright though. It's not copyright law that prevents people from using Microsoft's Kerberos documentation to add support to Samba. It's the license agreement.

Re:Defeating Trade Secrets 101:

[Zagadka]

Whether he's right or not doesn't matter - the GPL does not impose additional restrictions beyond those imposed by copyright law. Maybe some of it cannot be enforced, due to certain restrictions not being imposed by copyright law, but that's an issue that has no precedent, so RMS's stand is perfectly reasonable.

EULA's often impose additional restrictions beyond copyright. Where does copyright law say I'm limited by the number of clients that connect to a server? I'm not creating additional copies, so copyright is irrelevant. But go take a look at the EULA for Windows NT Workstation 4.0. Maybe you're right, maybe this condition of the GPL can't be enforced, or maybe it can. But my point is that GPL is at least trying to enforce something that I'm fairly certain is outside of the scope of copyright.

But the issue does have a precedent. Taka a look at this comment I wrote just a minute ago. Look at the part about emulators. Does copyright prevent emulators that require ROM files? I don't think that would make any sense, since nothing is being copied. The same goes for dynamically linking. If someone distributes code that depends on someone else's library, but doesn't actually distribute (ie: copy) that library, then they're not infringing any copyrights.

What must be done...

[Art+Tatum]

Someone (who is conversant with the technology) must:
1) Read the document;
2) Write a summary of the extensions in their own words;
3) Get the Kerberos development team to extend Kerberos based on the information in your summary.

So long as the Kerberos team didn't read the original document or see any original code, they haven't violated anything and their modifications can be placed under GPL, right? IANAL, so if anyone reading this knows otherwise...smack me down with a cluestick.

license is in pdf

[aphr0]

For those that never bothered to actually do any research before mindlessly posing, the agreement is included at the bottom of the pdf file and is referenced at the beginning.

Re:It's just a CAB file

[Signal+11]

It may be a legal "dare" by Microsoft to test the DMCA. Remember, you can't "bypass copy protection measures".. and this is such a trivial one you really have to wonder. Especially since they labelled it a "trade secret". Why?

Legally, trade secrets enjoy very little protection... but it sounds like it would make an excellent soundbite for the media if it were "leaked" by a bunch of "hackers".

Re:Loophole?

[Julz]

What you mean like what if you run Windoze and some little hacker manages to get access to your special "My Documents" folder and grab the specification.
Well bad luck I'd say they've got you there. May as well give up now and get Linux now.
;-)

Does not apply!

[kels]

But at the beginning of the file it states:

"If you are an authorized licensee, when you downloaded the following Specification, you agreed to the Agreement..."

and then in the legal notice before the Agreement:

"If you have not downloaded the Specification from Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification."

So I guess I'm not an authorized licensee. I don't think (insert standard IANAL here) that I am bound by anything with respect to this license. As far as I can tell, Microsoft doesn't have any intellectual property claims over this document besides copyright. So redistributing the document itself probably does infringe their copyright, but distributing the information contained therein does not.

Re:Does not apply!

[glebfrank]

It states: "Please review this Specification copy only if you licensed and downloaded it from Microsoft Corporation's website; if you did not, please destroy this copy, ... You are obliged to destory it if you did not license it.

Doesn't look like that to me. Sure, they want you to destroy it, doesn't mean you have to do it.

Re:Does not apply!

[ptan]

Read the WHOLE paragraph. It states: "Please review this Specification copy only if you licensed and downloaded it from Microsoft Corporation's website; if you did not, please destroy this copy, ... You are obliged to destory it if you did not license it.

Re:Better than a patent

[Thagg]

I agree that on a level playing field, Microsoft would not have a chance with this defense. If they were suing IBM, say, Big Blue's lawyers would be able to make your argument.

But, when it comes to attacking Open Source projects, the field is not level. Not only do the Open Source projects have little money to hire lawyers, they are often not even in the same country as Microsoft. We've seen that it's quite easy for rich companies to get restraining orders against groups or individuals like this.

So -- it works as a threat; and that's all it has to be. That last line, that by reading this you agree to the terms of the license, is laughable legally -- but they are the ones laughing all the way to the bank.

thad

Re:Defeating Trade Secrets 101:

[mitheral]

Ah, but the GPL grants you additional rights that you would not normally have under copyright law.

This MS antic attempts to preserve a trade secret by getting everyone who downloads/opens the .EXE to agree to a Non-disclosure Agreement.

Not quite the same thing.

Re: Question for Lawyers (with a localized answer)

[earthy]

In the Netherlands trade secret protection does not hold if the group of people the secret is distributed to is too large. This holds *even* if each and every person in that group has vowed to keep it secret. The point is that a large enough group of people in and of itself is a `public', so distributing a trade secret to a large enough group of people implies publishing the trade secret and therefore lifting trade secret status.
Neat, huh? :)

Re:Kerberos? Isn't it Cerebus?

[Edward+Teach]

In classic Latin, Cerebus would be pronounced "care-eh-boose" and in Seminary Latin it would be "sar-eh-boose". Seminary Latin pronounces most C's as an S. Classic Latin allows NO soft C's. It the only words in Latin that begin with K are those inherited from Greek. Most likely Kerberos is the Greek and Cerebus is the Latin (Roman). Also, in Greek it is Herecles not Hercules. Therefore, the logical assumption would be as follows: In the 12 labors of Herecles, he went to the underworld and captured Kerberos. In the 12 labors of Hercules, he went to the underworld and captured Cerebus.

Thus endith the lesson.

Damn!

[Edward+Teach]

I hat it wen I mispill thangs...

In Classic Latin "Cerberus" = "care-bear-oos" (not the cartoon care-bears)
In Seminary Latin "Cerberus" = "sare-bear-oos"

The rest was right though!

Re:yr .sig

[Edward+Teach]

It is a smiley.

this is kind of scary

[geocajun]

If this code is somehow included into the open source samba software, can microsoft sue samba for disclosing thier trade secret by publishing this 'open source'?

Re: OT: Doesn't matter.

[Samrobb]

IANL - from what I understand, though, yes, minors are unable to participate in certain kinds of legal contracts. Marriage and a military enlistment contracts come to mind. Don't know off hand if it applies to this type of agreement, but I'd tend to suspect that it would, as your average minor (heck, your average adult, even) would be hard pressed to explain (legally) what a trade secret was, why safeguarding one was so important, and what the possible repercussions could be. Then again, I might be wrong. I'm a programmer, not a lawyer, and logical thinking doesn't always make sense as far as the law is concerned...

Re: where is a copy of this memo?

[Mr.+Flibble]

Try here for as much of the memo as is legally released. You cannot actually read the damning statement for legal reasons. Still, The Register has a good article on it.

post that bitch to the freenet!

[Blue+Lang]

I really do wonder sometimes if it might be cool to just declare bankruptcy, get a job working at mcdonald's, and spend my free time taking code like this, publishing it, implementing it, and then getting sued.

And then I think, wait.. Who cares? It's Windows, in five years, no one will use it anyways. :P

--
blue

Re:Trade Secrets only as long as they're secret...

[Panaflex]

But you don't understand. If microsoft said the sky was red, then the court would say yes it is!

Even if only because the sky is red at dusk..

Twisting truth for fun and profit.

Pan

Re:It's just proof

[Miguelito]

2 - I think that Microsoft did indeed help the industry. They provided a low-cost common platform for people to develop applications for.

Actually, MS is not responsible for PCs being cheap. That was do to IBM using off the shelf technology that could be cloned... thereby creating competition which drove prices down.

MS OSes have been going up in costs over the years, not down.

Re:SAMBA in binary.

[kevlar]

Actually it has absolutely nothing to do with that program. Its a security group I used to belong to, but haven't done anything with for a while. That company thought the name was cool and took it for their product. Lame++

Re:Defeating Trade Secrets 101:

[ethereal]

MS puts it on their page for everyone to DL, there was no agreement that I saw that said I couldn't give it out to anyone else, it's public domain.

I think that you could make the argument that the information is now public knowledge; someone else has effectively made this argument here.

However, just because there was no license agreement doesn't mean the document is in the public domain. There's a difference between software licensing (which is contract law) and public domain (which is copyright law). Microsoft is effectively acting like a newspaper or a radio station here - they are publishing something to a lot of people, but that doesn't give their audience distribution rights as well. Try making photocopies of the New York Times and selling them for half price, and see how far you get. Or better yet, try rebroadcasting a major sporting event in your bar :)

Adding 2+2 as a copyright?

[Wokan]

You mean, like copyright? Owning copyrighted without ever having been licensed to do so? Modifying copyrighted works?

Just because the information contained in the doc is a trade secret, doesn't mean that the doc itself has no protection. It's no different from grabbing a Word doc of Ender's Game and throwing it on the web, sans copyright information.

I seem to remember these books that were copyrighted. Seems like they used them a lot in grade school. Oh, yeah. They were called textbooks.

Strange thing, these textbooks. It seems that you were allowed to implement the knowledge you gained from them without having to pay royalties to the author.

So if someone happens across these specs along with other network information, and uses them for research for a school paper on networking computers followed by publishing such an outstanding piece of homework on their website for all to see, admire, and mirror...

I believe the government doesn't intend for the DMCA to prevent students from using copyrighted references under fair use in their schoolwork. Things like encyclopedias, newspapers, books, and text files. I think said student should be proud of their homework, and I'd like to see what kind of grade the online community gives them.

So my question to you, Willy G., is if you intend to now police every student's homework in the world.

Digital Wokan
I wanted to spend 8 years defending the US constitution.

Re:Defeating Trade Secrets 101:

[Wokan]

In the United States, any artistic expression is automatically copyrighted to the author on creation, regardless of copyright or other protections sought.

Since when is a computer communications specification art? Somehow during all those Computer Science classes, nobody managed to mention switching over to study for a Computer Arts degree.

Digital Wokan
I wanted to spend 8 years defending the US constitution.

Re:Please moderate the previous post down!

[Wokan]

Moreover, making the contents of the file widely available in this manner threatens to taint the efforts of those who need to get this information legally!

Holy crap! That means that all MS had to do to protect their extension was to "illegally" post it here to Slashdot as an AC. The insiduousness of it all. Someone hand out the identity of the MS employee that posted that spec as an AC. Evil deceipt of such imaginitiveness deserves a respectful handshake for winning this round.
Digital Wokan
I wanted to spend 8 years defending the US constitution.

Re:Defeating Trade Secrets 101:

[NMerriam]

Right. Copyright is for published material.

No it isn't. Please refrain from criticizing other people's understanding of the law if you don't really know yourself.

Copyright exists for any creative work from the moment of creation. If I write a screenplay and lock it in a trunk and no human ever sees it but myself, it has a copyright. Publication has nothing to do with it.

AT&T was asserting that the Unix source code was a trade secret, and wasn't copyright

That was a separate issue -- is computer code a creative work? That's still to be debated conclusively in the courts, so ATT chose the path most likely to lead to success, which is the well-established ground of trade secrets.

A PDF document written about a technical issue is not computer code, and its protection under copyright law would be unquestioned by any court in the US. This is not a gray area of copyright law.

Re:It's just proof

[NMerriam]

The 386 was around for years before they even put in support for more than 1MB, and even then it was only because they were threatened with a very good competitor - DRDOS

And of course, DesqView386 offered true multi-tasking on the 386 processor, taking advantage of all the new capabilities of the processor while maintaining 100% compatibility with DOS applications. About 10 years vefore MS got around to it...

Re:Would never be upheld in court...

[Todd+Knarr]

There are those that would say that this sort of extended implementation equals non-compliance. For what it's worth, I disagree.

The problem isn't that they added extensions. The problem is that they used those extensions in a way that makes it impossible for Windows workstations to interoperate with other Windows machines when authenticating through a non-Windows Kerberos server. This pretty much forces anyone wanting to use Windows workstations to switch to Windows for the Kerberos servers whether they want or need to or not. Or they have to drop Kerberos authentication for those workstations. This despite the fact that they easily could have made things interoperate right, using the additional capabilities when using a Windows Kerberos server and dropping back to standard Kerberos behavior otherwise.

Re:RevEng Proof, reasonability etc.

[The+Vorlon]

1. Record the whole reverse engineering process on video to use as proof of actually rev.eng'ing, not following specs in court.

Trouble is, reverse engineering sometimes involves a lot of guesswork and intuition, which is difficult to document.

2. Publishing a "trade secret" obviously isn't "reasonable effort to protect", is it? Even with oxymoronish "by reading this..." comments.

According to the terms of the DMCA, it can be argued that Microsoft *has* tried to protect its trade secret, because they've published a document in a format that requires an individual to agree to a legally binding license before proceeding. If you click 'yes' and then redistribute it or use it for reverse-engineering purposes, then you've violated the license; if you circumvent the technical protection (which is flimsy, but of course the DMCA doesn't care), then you're in violation of the DMCA, and we all know how good that law's been for the rights of the citizen. Either way, under no circumstances is it *clearly* legal to use information gained by way of this document for creating a competing implementation. That fact alone is enough to make life difficult for those working on reverse-engineering the MS PAC.

watchdog group needed?

[Daniel+Zappala]

Maybe what we need is some sort of watchdog group, to notice when Microsoft (or anyone else) doesn't play nice in the standards game. If this group could build some influence, get ink from the press, etc, then maybe enough public pressure would build to force people to work in the open. Imagine if the immediate reaction from CNN was to run a headline story on this development, with the same sort of attention the DOJ case is receiving... We need some way to sound the alarm to the general public.

Does such a group exist yet? Why not? This is exactly what an "open source society" needs.

Re:watchdog group needed?

[Spoporwesh]

As in a reminder, please don't say Micro$oft or I'll beat you in the head with an anvil.
Have a nice day.

Woohoo! Something else to mirror!

[socratic+method]

Great! Another bunch of quality code snippets for those DeCSS (a cascading style sheet removal program, of course) mirrors.

I'll put it on mine between my copy of the Hacker's Manifesto and the CyberPatrol hack.

Internet != free information
Civil disobedience == free information

sm

Re:Kerberos? Isn't it Cerebus?

[Darmox]

They're both more or less the same, and that's where the name comes from. I -believe- that the Greek version is Cerberus, and the Roman was Kerberos, although I could be wrong. I have also heard that Kerberos is how "Cerberus" should be pronounced (Kur-bear-ous)

Re:Kerberos? Isn't it Cerebus?

[Medievalist]

Kerberos? I thought the three-headed dog that guarded the gates of Hades was called "Cerebus"?

There's no "soft C" (pronounced like S) in ancient Greek - only a "hard C" (pronounced like K). So the spelling is optional in English, choose your fave...

This is why the Boston Celtics are a laff - Greek "Keltoi" or "people of the axe" somehow ended up as "Seltiks".

--Charlie

Re:can this be bypassed?

[linuxghoul]

I don't think you get it. You may dirtribute it,
you, may copy it as often as you like. It isn't you M$ is targeting. But when teams like the Samba guys try to create free implementations of their "extensions" of the protocol, M$ would have a decent case against them, decent enough to not be immediately thrown out of court. M$ need not win on such a case, only strech it out long enough to break the vistims.

Re:And they can probably prove it if you do...

[MeanGene]

Given this fact, I wouldn't be surprised if this spec describes some small detail which is NOT present in the behavior of Win2K. Oh great, the next DOJ investigation is going to be not about secret APIs, but about secret bugs (where bug is defined as a deviation from published specs)! ;-)

Re:Defeating Trade Secrets 101:

[MeanGene]

When are you guys going to grow up!?!?

It's like being happy about sneaking into your house late at night through the window just because cops on the street didn't shoot you.

The issue is not that you can extract the PDF file out of kerbspec.exe. The issue is that Microsoft DARED to prepend that spec with the license that (hold your breath!) doesn't allow you to implement a counterpart to talk to a MS Kerberos client or server

Re:The license is still all over the damn thing

[platypus]

There is a open source cab-lib out there, works under linux. Perhaps it can handle the file, so my suggestion is:

uncap dirty_microsoft_file.exe | pdf2txt | grep 3 -v "agree" > sanitized_text_file.txt

voila

Re:Defeating Trade Secrets 101:

[platypus]

There may be people/organizations willing to stand up against that. It may well be an attempt of microsoft to "poison" the samba programmers (and other parties) with knowledge about that protocol, making sure that they cannot even attempt to reverse engineer it because know MS will always be able to diz them for breaking that license.
It might be the best to attack this strategy now and technical games togetger with legalese might help with that.

Re:Defeating Trade Secrets 101:

[magic]

The original poster meant that the document is copyrighted, not the concepts in it.

While they were at it..

[Black+Parrot]

Here is the latest scoop from The Register. More MS internal e-mail, sent by a certain Bill Gates less than 30 days after the end of the trial phase of the DoJ suit, concerning plans to shaft the Palm Pilot.

Apparently.

Unfortunately, key phrases of the document are censored out of the version of the DoJ memo that The Register has access to.

--

GPL The RFC's (Acronym soup)

[Lensman]

OK, I'm certain there's some lawyer type out there who could find the right legalese to do this, But here's the basics that I'm proposing.

Since the IETF is the org in charge of RFC's, and since RFC's are what we are using to define the protocols. How about having the IETF, through it's working groups, release all RFC's under some form of the GPL, and trademark the generic name for the protocols.

This should have the effect that all interoperability protocols are published as public documents, and extended private protocols cannot use the publicly defined name.

This would allow the companies like MS who want to "innovate" their own protocols to do so. But without confusing the market. (ie kerberos v. MS kerberos), and with out being able to "extend" (read "Steal") the work of others who do publish open standards.

Additionally, this should be applied retroactively to all published IETF RFC's

(Should this be submitted to the IETF as an RFC of it's own? If so contact me and lets get the ball rolling.)

kerbspec.exe /c /t:c:\temp /q

[scotpurl]

If you run:
kerbspec /c /t:c:\temp /q
You'll get the contents, and never even see the license.

Is that legal advice?

[TheDullBlade]

I advise you to consult with your lawyer before advising anyone to consult with their lawyer.

Oh, wait, IANAL! Curses, I am doomed! doomed...

Re:Potential workaround

[Nebulo]

Here's an extension to your thought: what if you set up a program for a blind person that would read the text of the specification (no chance to "click OK" and accept the license)? Or (hmm...) give them a copy of the thing, *accidentally* omitting the license page, and have them use one of those library auto-OCR machines to read it back? What if I read the spec, and (in written form) ask a subordinate of mine to engineer a patch to Keberos that would make it behave in the following manner? Designing software to act a certain way can't be illegal (can it?) provided the code is all original...?

I agree with many of the posters here: even among this limited population we can conceive of numerous potential get-arounds for this situation, so it's unlikely that any court would look at this and think, "You know, despite offering this 'trade secret' document to millions of online users, I don't really think Microsoft really meant for them to use the information contained within it."

Besides, what would be Microsoft's motivation for distributing the spec, "FYI" ?!? It's not like we're going to program our *neurons* to do MS-Keberos authentication - and what other possible use could we have for this information? Any reasonable person would not blink twice if you used this to create a compatibility layer.

The question of the anonyminity of the programmer is also a valid one. If a compatible version of Keberos were to suddenly appear on the web or in my mailbox on an unmarked, no-return-address floppy, how in the world would Microsoft figure out who to bring a lawsuit against? They would be unlikely to prove that somebody didn't reverse engineer it, especially, as one poster noted, if the implementation was engineered to spec and not to behavior.

Ah, the issues of the digital age... it's only uphill from here.

Nebulo

Re:wow

[Nebulo]

But, to be fair, computer science has come a --long-- way over the last 20 years, since the dawn of the PC. Sure, Microsoft made some weird assumptions (640K is a shining example) but they were also trying their damndest to stay on top of things. Something had to slip through the cracks, and they're now going to pay the price with a bloated operating system and a legacy API that dates back to before some of today's developers were even born.

This is one reason that Apple is on the right track with OS X. They've carefully inspected the still-warm corpse of the Macintosh OS 9, ripped out the juicy parts and left the rest to rot. Microsoft is going to be kicking themselves in the arse when Apple releases a honest-to-Jobs *new* operating system while they're still churning out DOS-compatibility-mode code.

Besides, one must at least admire with sick horror what they've managed to build on top of DOS. It's a miracle that the bear dances at all, never mind that he can't do the macarena!

:)

Nebulo

Re:Did Micro$oft have to do this.

[Nebulo]

Define competition. Would a court take a social standpoint (how many people use the software) or an economic standpoint (how much money does the company make from the software)?

Open Source software almost by definition does not directly generate profits from its products. Sure, you can make money from supporting the products, but that's not the same thing. One might argue that closed-source software does not compete with Open Source software because it does not draw capital from the Open Source software provider. Open Source, on the other hand, at least has the potential to draw capital from its closed-source counterpart. So - does they compete? Are they competitors? Can there be such a thing as one-way competition?

Thoughts from an observer of the Open Source community

Nebulo

Re:Defeating Trade Secrets 101:

[Tony-A]

As I understand it, you can create a proprietary work that does not itself contain the shared library. If the library is proprietary, the customer is responsible for getting his own copy. If the library is GPL, the customer can get his own copy, or you can supply the customer with the GPL'd library, including source if asked. Furtherermore, if you modified the library to support the proprietary work, the modified library is of course required, the source for the modified library must be readily available, clearly marked as to what you changed, but source for the proprietary work does not have to be available.

It gets sticky if you need proprietary extensions to a GPL'd library. It's even stickier if the library is proprietary, and you cannot change it.

Re:Ignore Microsoft's release, don't break license

[rcw-work]

I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.

Actually, I did exactly that (right-clicked on the .exe and chose extract-to-folder) and never knew there was a click-through agreement until I read these slashdot comments.

Re:Is "Kerberos" trademarked?

[Ozric]

Can you Relicense under BSD -syle license ? Why not have MIT relicense KerBeros Under the GPL and have the old license revolked. Then MSFT would have to publish the changes and the Src.

Re:hello

[Wah]

You're right; it isn't legal. But people think it's legal

that's why M$ is pushing UCITA so hard.

(nice .sig)

--

But it will work with kerberos...

[jtgold]

...as a client. Kerberos clients simply won't be able to get access to domain resources.

Re:Defeating Trade Secrets 101:

[nutsy]

Not very helpful, Icebalm. What format is the archive? What's the general procedure for extracting files from this format of archive that doesn't involve using some particular (closed-source, bloated, crappy) program that's only available for one particular (closed-source, bloated, crappy) operating system?

From poking at the executable, I find the answer to the first question seems to be "It's a .CAB". As for the second, I'm genuinely curious, and haven't (yet) found an answer.

-- Oh, wait, I forget ... the only people who read slashdot anymore are corporate zonks who slave away the hours under MS-Windows by day, run Linux and pretend to be revolutionaries by night. "News for nerds", indeed. Bleargh. When this site went down last night, it should've stayed down.

Re:It's just proof

[mikelieman]

I think the point here is TRUE multitasking. (iirc, Win386 ran an app if you were looking at it, and didn't do that for every dos app)

Re:Trade secret == open season

[The_H0und]

Did I mention that you can bypass the license agreement by opening the executable with WinZip and not ever executing the thing?

Have fun!
Josh

Re:Defeating Trade Secrets 101:

[Greg+Lindahl]

The original poster meant that the document is copyrighted, not the concepts in it.

Right. Copyright is for published material. Trade secrets can't be published. As I said, you shouldn't play lawyer on /. if you don't know what you're talking about. And don't trust me, I'm not a lawyer either. But I paid attention back when AT&T was suing Berkeley over BSD. At the time, AT&T was asserting that the Unix source code was a trade secret, and wasn't copyright.

Re:Ignore Microsoft's release, don't break license

[mystik]

I don't get why everyone is advocating tricks to et around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.

This is standard practice for me, because this is how i avoid viruses. If i can't open it w/ my File manager (Windows commander- which opens just about anything) I delete it.

Re:Better than a patent

[nevets]

The one main problem I see with this is how can you have a public trade secret? I would really like to see how Microsoft fights this in court.

A while back, my company had non-employees read proprietary documents that were left on desks, and used them outside the company. When my company went to court, they lost because the judge stated that the company made no effort to hide those documents. They were left out in the open where anyone can read it. I don't know if the laws have changed any, but publishing a spec on the internet with a lame license agreement doesn't sound like trying to protect their secret.

Does Microsoft have so much money that they can blow it away on so many court cases. Maybe the anti-trust case excites them and they like to go to court. MS Lawfirm!

"Lets see how many judges we can really piss off!" -- William Gates
(Ok, I don't know if he did actually say that, but it certainly seems that way!)

Steven Rostedt

Re:Is "Kerberos" trademarked?

[Malcontent]

To me the motive is clear. Ms intends to either sue the samba team or have them thrown in jail. By now that agreement and spec has been widely distributed on the net. Any implementation by the samba team is now tainted . Coding has now become a criminal activity, welcome to the Wonderful world of MS innovation.

Re:Trade secret == open season

[jasha]

It's my impression that as long as the entity (Microsoft) takes reasonable steps to protect their trade secret (they have), regardless of how you get it, it is still protected.

can't implement the thing - forget dissemination

[bSod]

By way of clarification of the foregoing, the Specification is provided to you solely for your informational purposes (for review as specified above) and, pursuant to this Agreement, Microsoft does not grant you any right to implement this Specification.

Section 1 of the agreement specifically forbids you from implementing anything you read. Theoretically, the entire Samba team could be required to read and agree to Microsoft's license. In that case (and assuming the above clause didn't exist), they could use it (rename the variables, don't comment beyond "#@$! m$ compatability crap". It's the first clause that gets you though.

Re:It's just a CAB file

[aufait]

I think that this approach is defensable in court with or without UCITA. (Of course, IANAL)

Under existing contract law, you must agree with a contract in order to be bound by it.

In ProCD, the case that upheld shrinkwrap licenses, the judge relied on the fact that the buyer had to have clicked on the OK button in order to run the program. If you can unzip the program and read the document without clicking on "I Agree', then you have not agreed to the contract.

What is actually printed on the document does not make any difference, as others have pointed out.

Under UCITA, I believe the arguement is even stronger. Section 21-108 (of the Maryland version) states Authentication may be proven in any manner, including a showing that a party made use of information or access that could have been available only if it engaged in conduct or operations that authenticated the redord or term.

Clearly, unziping the file is a way way to use the information without agreeing, or even reading the terms.

Also, Maryland amended their version that makes any clauses prohibiting reverse engineering for compatability purposes unenforceable.

In order to be protected under trade secrets, a company must take reasonable precautions to protect their secrets. I don't think that putting a file on the web that is only protected by 'zip' would be considered reasonable.

Re:Loophole?

[Desco]

I think the moral of the whole story should be: if you develop a protocol for cross-platform use, write a license agreement with a GPL-like clause stating that all modifications to the protocol cannot be considered "trade secrets" and must be unconditionally published.

a way around

[lubricated]

so someone in a country where these kind of agreements are not legal or enforcable can read the pdf and give it to everyone else. Or better yet if they don't give it to anyone. Then people will be forced to stop using windows because it won't interoperate with their machines.

Re:a way around

[Nate+Eldredge]

Then people will be forced to stop using windows because it won't interoperate with their machines.

Hmm... the spec was just released recently. Were people "forced to stop using Windows" before now?

Re:It's just proof

[ronfar]

I think he may have finally decided to go for it and buy that persian cat...

Re:Is "Kerberos" trademarked?

[tak+amalak]

Why was this moderated down? I almost fell over laughing when I read this.
--

Re:Is "kerbspec.exe" booby-trapped?

[Old+Wolf]

Oh no!
Downloading from MS's website causes outbound traffic on port 80!
I think I just felt the Earth's foundations shake..

MS had a hold on the server market?

[Old+Wolf]

The server market always used to be owned by fat Unix systems. Recently, Linux and Windows NT have been cutting into that. MS was never anywhere near owning it.

Re:Halloween Revisited

[Old+Wolf]

The Halloween documents were written by ESR in an attempt to discredit Microsoft.

Have the Halloween documents been cited in the MS vs DOJ court case?

Re:It's just proof

[Old+Wolf]

The first, second and fourth of these are obviously true.

People really love him, and will rally to his cause before letting the government hurt MS.

I'm waiting for share traders -- if not the Government itself -- to decide that they are shooting themselves in the foot. The Nasdaq , along with most of MS's big competition, has fallen immensely since Jackson's findings. Red Hat and Corel stock value has fallen by 60%, to give but one example. The fact that the Government can intervene in a free market and attempt to cripple a company merely for being successful, has scared the investors (as well it should). MS hasn't done anything that Sun, IBM, etc. haven't done, and why would an investor put big money in a company when there is the threat hanging over his head that the Government will rip out his stock's value as soon as it gets large enough?

It's time that people woke up and saw MS as the great driver of the computing industry that it is. How low will the Nasdaq have to go before people realize?

Re:MS sucks

[Old+Wolf]

How is that a loophole? IE (5.0) just gives me the usual 'page not found'. Maybe it breaks Nutscrape or something?

Flamebait!!!

[tilleyrw]

What importance is attached to a fscking "Trade Secret"???!!! What can M$ do if you accidentally leave the specs up on your monitor and they just happen to be incorporated into Samba by a technician walking by???

This is an honest question. What can they do? Once you have information, it is free to distribute, no matter what kind of NDA you have signed or agreed to.

What can be done against a plea of "My computer must have been broken into by security expert secret agents during my lunch break".

Re:Trade secret == open season

[SmileyBen]

Erm. Am I being really naive here? What's to stop someone extracting this and anonymously posting it on the web. Then the trade secret is 'out', and from what I understand about trade secrets from what has been said about the whole CSS thing, once that happens it ceases to be a trade secret...?

Re:Here is the full agreement

[Velox_SwiftFox]

I didn't read that.

Re:And they can probably prove it if you do...

[Field+Marshall+Stack]

Why would they want to actually prove that someone used this spec? They're not interested in /proving/ anything, only in establishing doubt. If it was possible to prove that someone used the spec, then it would be easier for a team of reverse-engineers to prove that they didn't use the spec, since their work wouldn't contain the bug. It's called Fear, Uncertainty, and Doubt, not Fear, Uncertainty, and Proof.
--
"HORSE."

Re:It's just proof

[rz]

> Are you accusing Bill Gates of having a God Complex?

God or not, I think it's hilarious that in his own page, http://www.microsoft.com/billgates/, the first link in the text "Here you can find information about my background and interests;" the link to "background" gives a 404 (it's to /billgates/bio.asp not /billgates/bio.htm).

;-)

Re:Dirty trick.. or just a lapse? Or really dirty?

[folti]

What amazes me is that any company would still do any business with Microsoft at all after the Halloween Documents, with their unabashed recommendation of decommoditizing protocols as a technical solution to Microsoft's marketing problem.

Maybe the only solution would be to force (DOJ?) all people wanting to buy a Windoze box to read the Halloween Documents, and sign the document saying that they've read it, as a part of licence agreement ;) (my another Day of Silly Ideas ;) ) ...kf

Re:It's just a CAB file

[wnissen]

I believe Microsoft would have to claim that the document is copyrighted and that they have a system in place to control access to it in order to engage the proctections of the DMCA. Since the problem is not obtaining a copy of the document, but rather the license it requires you to agree to in order to read it, it would seem that there is no problem here. You don't want to copy any part of the document, you just want to write some code that uses a description from the document. IANAL, so of course a court could rule that even if your intent was not to make copies, that you broke their access control system, as they ruled in the DeCSS case. So the question that it seems to come down to is, how incompetent can the protection be to be considered an actual control? This seems about the minimum level of protection even possible.

Walt

Destroying the document

[azi]

Please review this Specification copy only if you licensed and downloaded it from Microsoft Corporations website; if you did not, please destroy this copy,

Just wondering: How can I destroy this document?

Re:Loophole?

[chown]

Just have some minors (the younger the better) agree to the license, and redistribute unencoded info.

IANAL (but I did take a business law class, part of which dealt with contract law, and making contracts with minors). I'm pretty sure if a bunch of minors did that, they could not be held legally accountable for that transgression, but the people who end up with it might be. This obviously doesn't make a boatload of sense in the digital era, but I think that's probably the way it would go.

Does anyone else know for certain? I'd be sort of interested to know how that would work.

Re:Get around the license ... ?

[chown]

You're also not bound to a contract if you were drunk when you agreed to it. So maybe if you got drunk, agreed to it, then mumbled instructions to someone across the room to reverse engineer the protocol, which is a legal means of making a compatible system, then they wrote a spec and gave it to someone to write the code for it, it would be okay. Right?

I believe that's actually on a state-by-state basis (or is there maybe something in the UCC? I can't remember, I think I was drunk during most of those classes :). But for something like this, would you be brought to bear under the state of the plaintiff's incorporation, or in the state where the act was committed?

Re:Watermarked PDFs?

[chown]

Wow... that's a really excellent idea. I think I will check it out.

Re:Watermarked PDFs?

[chown]

Generally, they are not. However, since you get this one by running an .EXE, it could be. Anyone care to do a bdiff from two copies?

Well, it was a good bit of paranoia, but it doesn't look like it. Oh well, I'm sure they're doing something though (grumble, grumble, insert-anti-ms-comment-here, grumble..) :)

Re:Loophole?

[hbo]

Oh great.
How's this for a conspiricy theory?
Microsoft widely distributes their Kerberos subverting extensions in a manner that preserves their rights to protection under trade secret law. Predictibly, someoneposts the whole spec to slashdot.

Now let's say someone else reverse engineers their crud. Someone from the Samba project, say. Microsoft hits them with a lawsuit claiming violation of trade secrets. When the respondent claims reverse engineering, Microsoft can point out that those dastards at slashdot spread the spec all over the Internet. They can also prove that someone on the Samba project at least read the license.

Of course, Microsoft might give Samba a royalty free license if they were asked nicely.
Right.

"Even if you are on the right track, you'll
get run over if you just sit there." Will Rogers

Re:Are there legal tricks to get around this?

[mrBoB]

Just do what Compaq did years ago to bust into the clone line. Get someone to download the spec, get a moron to click through, then get an intelligent programmer to read the PDF. That way, the programmer never agreed to anything; he's just reading a PDF.

Bob

Re:Ignore Microsoft's release, don't break license

[mrBoB]

Moderate this guy up! He's hit the nail on the head. This is basically what I was saying a few days ago on the Maryland UCITA passage.

Bob

Re:remember that GPL hole. .

[tytso]

Yes, but trade secret protections apply as long as the source of the information was impoperly obtained. Arguably, the minor wouldn't be bound by the contract, but the minor then probably wouldn't be entitlted to the information, so it would be considered "improperly obtained". So Microsoft could very well go after any adult who then tried to make use of the information.

What this means is that no one who might even think about doing development work on Kerberos or Samba should look at the .pdf file without getting some serious legal advice. This is very treacherous legal ground here.... definitely Microsoft's dirty tricks at their best..

Playing into Microsoft's game

[zornorph]

People are trying to find ways around Microsoft's click-through agreement so that they can post the specification somewhere... but what good does this do? While it does show Microsoft's intentions, it will also tempt people to write apps that implement it. Of course, these apps will most likely not interoperate well (if at all) with their UNIX variants, and the unwashed masses will stay with the safety of Microsoft again.

Re:Defeating Trade Secrets 101:

[esjewett]

I think the issue here is that Microsoft says this is a trade secret. Something under the GPL is certainly not a trade secret, it usually has a copywrite.

My understanding is that you can put as many restrictions as you want on something that you have copywritten but have to disclose it to whoever asks to see it.

With trade secrets, on the other hand, you get to keep them secret (i.e. you don't have to show them to anyone) but once someone gets a hold of whatever you're hiding, all bets are off.

Re:Winzip 8.0 works. was: Re:It's a zip file

[gabrieltss]

I used Plain old Winzip 7.0 under Win98 and it pulled out the PDF just fine.

isn't good old inginuity great!

Thanks to the AC who gave us the info about it being just a .zip file!

Re:Defeating Trade Secrets 101:

[fnj]

IANAL - not in spirit, and not in fact - but I think that "not required to agree with" is not the same concept as "not required to abide by". I forget - did we used to have to sign our own draft cards? I distinctly remember, in 1968, reading wording on my draft card to the effect that "subject's consent not required" :-)

remember that GPL hole. .

[Bastian]

that everyone talked about? The one about minors not being able to enter into legal contracts? Why not just get around this by having a minor somewhere download the PDF file and then post the relevant info in it to the web? Nobody said using info that someone else hacked is illegal. . that's why we have Yellow Dog Linux.

Ways around it

[Hynman]

I've seen some postings here, some I'd consider legal and illegal (hex editing I would consider illegal - reverse engineering to me) I think winzip extracting the document is still reverse engineering, or so the courts would say, because you are purposely bypassing the agreement.

Has anyone ever considered back orafice or even microsoft's own NetMeeting to have someone on a local computer view the document, while another person (authorized or not) views it anonymously, remotely (by sharing window or desktop) and takes screen dumps and runs OCR and posts it? See, the person with the remote window did not agree to the terms and is therefore not bound by them... assuming you have authorization to the PC you are viewing,it should be completely legal.

Re:Ways around it

[poolecl]

> I think winzip extracting the document is still reverse engineering, or so the courts would say, because you are purposely bypassing the agreement. But suppose you instead used Stuffit Deluxe (Macintosh) or gunzip (Unix) because you could not otherwise view the contents of a compressed .EXE file... oops, nevermind... this is Microsoft World, everyone uses Windows!

Re:Loophole?

[Entrope]

You don't read very well, do you?

I call your attention to the part you quoted which says "AT LEAST as great as the precautions you take to protect your own confidential information."

If you agree to treat certain information as someone else's trade secret and keep it confidential, there are minimal things you must do (regardless of how little you take care of your own confidential information, which you have the a priori right to disseminate). If you knowingly do less, you're still legally liable for violating that confidentiality.

Re:The license is still all over the damn thing

[jmccay]

Does it say anywhere that you can't modify it? If so is there a way around it.

In most contracts, you cross off the sections you don't like. Why can't we do that here? Simply remove the file from the CAB without agreeing to the liscence, and then remove all parts of the agreement that you don't agree with. Like for example removing the implementing part. Once that is done, just post it on the web.

Also, If you work on Open Source GPL'd projects, your "trade secrets" are open to the public. Following this line of thought, if you treat this as you treat your "trade secrets", then you make it open to the public. You'd have to look at the specs carefully.

I am a little vague on this part. Once the specs are open to the public, can't you just change the names of the structures, variable, et. al. and add a litle extra. Wouldn't that get around the not iplementing it? I am not certain. I am no lawyer.

Kerberos? Isn't it Cerebus?

[Ribo99]

..Gates and company seem to be embarking on a journey that is eerily similar to the last of the 12 labors of Hercules: the capture of Kerberos, the three-headed hound who guarded the gates of Hades.

Kerberos? I thought the three-headed dog that guarded the gates of Hades was called "Cerebus"?

---

Re:Kerberos? Isn't it Cerebus?

[sarhjinian]

Kerberos? I thought the three-headed dog that guarded the gates of Hades was called "Cerebus"?

I think "Kerberos" is the more accurate spelling from the actual Greek. "Cerebus" is an anglesized (ack!) spelling.

Re:Kerberos? Isn't it Cerebus?

[Ma�djeurtam]

the original greek would be spelled kappa-epsilon-beta-epsilon-rho-omikron-sigma: Kerberos.

Mmmh... I think you're forgetting one "rho"...

Should not that be kappa-epsilon-rho-beta-epsilon-rho-omikron-sigma ?

Just my 7.38539 drachmas ;))

Stéphane

Re:Kerberos? Isn't it Cerebus?

[GossG]

Nope. The B is definitely between two "R"s. The Greek chi is an "X" shaped letter that presumably evolved into our "K". Spelling is optional when the owner of the word (the greeks) don't use our alphabet.

eg: http://elfwood.lysator.liu.se/loth/p/a/paula/cerbe rus.gif.html

Re:Kerberos? Isn't it Cerebus?

[jejones]

It's probably a Latin vs. Greek thing--just as Hercules is the name the Latin-speaking Romans gave to the character the Greeks called Herakles. Which is which I couldn't say. (Ooh, ick. I just realized that "Kerberos" is probably pronounced "Care Bear Ohsss." Care Bears--echh!) Hmmm. Latin used hard "c" throughout; I'm not even sure they had a letter "k." So, I'd guess that "Cerebus" (pronounced "Keh-reh-booss") is Latin, and "Kerberos" is Greek. Weird things happen to words as they get borrowed (tying back to a subthread of "will there be a universal language for the Internet?" a few days ago).

Re:Kerberos? Isn't it Cerebus?

[pdion]

Well,actually no. The 'c' is pronounced exactly like 'k' not like 's' nor like 'ch'. And in Greek it is written with kappa which is equivalent to 'k'

Re:Kerberos? Isn't it Cerebus?

[pdion]

A note about the B. The Greek Beta which is written like the English/Latin 'B' is not pronounced like 'B' but like 'V' (as in venus or venture). So the correct pronounciation is more like 'kerveros'

Regarding the Greek chi: As you correctly state it is an 'X' shaped letter, however chi is pronnounced like h (in happy). There is another letter, kappa which is more or less similar to the Lating/English 'K'. It is pronnounced the same way, the capital form is the same and only the lower form is a little different

Re:Kerberos? Isn't it Cerebus?

[Pathetic+Coward]

It's "Cerberus". "Cerebus" is an aardvark.

Re:Kerberos? Isn't it Cerebus?

[MPolo]

"Cerberus" is the three-headed dog from Greek mythology, if you pass the name through a Latin filter first. (Latin doesn't use K much, and "us" is a more common ending in Latin.) If you try to be faithful to the Greek, which has Kappa Epsilon Rho Beta Epsilon Rho Omicron Sigma -- you get Kerberos.

"Cerebus", on the other hand, is an aardvark with an attitude, from the comic book of the same name, written and drawn by Dave Sim.

Re:Loophole?

[videoranger]

Actually,

I don't think Micro$uck has a leg to stand on here. Apparently, -some- user they authorized to access the files in question has policies so lax as to allow them to post proprietary information to slashdot. It would seem that that user is compliant with the license in that regard. Consequently, that user has violated no precept of the security clause, and consequently slashdot is in no jeopardy.

That being said, fuck micro$quak.

Rob, stick to your guns, pal.

Now as to the debate over the kerberos extentions they did, it would seem to me that perhaps there is a demonstrable violation of the spirit in which kerberos was developed and deployed. If there is no legal ground by which they may be prosecuted, that's ok - time will prosecute them.

Their days are numbered, and it's their own doing.

Remember CP/M? It was squashed by microsoft; now its their turn.

-VideoRanger

Re:Is "Kerberos" trademarked?

[altair1]

> No, this is not true at all. Samba doesn't
> *need* this PAC format except as an
> optimization. See my posting below in this.

Oops...I stand corrected. I read your other post, that Samba can support Kerberos authentication once the neccessary code has been added. Slightly offtopic, but is this support being developed by anyone? I'm curious, as I've been hoping Samba would support this for a while now. I asked about it a few months back on one of the Samba mailing list, but haven't heard anything. Thanks for the info.

May I claim John Doe #1 ...

[BlueUnderwear]

... for this puppy. It's the kerbspec file unzipped and without the legal boilerplate.

Re:So what happens if...

[Tau+Zero]

Exactly what loss could Microsoft claim if someone "lost" a stripped copy of the document?

Not that the document is useful, all it describes is a broken implementation of Kerberos that ought not to see the light of day. Maybe people who need M$ apps should stick with Win 98 on the desktop until WINE is good enough to run the latest version of Office, then kiss M$'s OS bye-bye.
--
This post made from 100% post-consumer recycled magnetic

Re:Loophole?

[napalm33]

How about this: The samba team implements everything *EXCEPT* the microsoft-changed bytes. Then they include an entry in the config file where you can write in some stuff (found in the pdf) that enables samba to work with microsoft kerberos? If this were done, the samba team would not be breaking any laws (maybe the user, thought).

Re:Not a trade secret

[jball]

A trade secret is a secret. If it needs to be kept anything more than that it needs to become pattented or registered into the public domain. This is absolutely rediculous.

Re:Defeating Trade Secrets 101:

[fougasse]

Fine. But my point is that with normal copyright, I can distribute works that rely on someone else's shared library.

No you can't -- unless given permission to distribute something, copyright does not allow you to distribute it, incorporate it into another program, whatever. You can't take a .dll (dynamic library) from a commercial Windows program, include it in your program, and then distribute that program.

Re:Defeating Trade Secrets 101:

[fougasse]

Considering that a battery of highly trained, ravenous lawyers looks over every legal document that Microsoft produces, I'd guess the GPL. Actually, I'd say neither, but I wasn't given that choice.

Who does these things!?!?

[neowintermute]

I would like to believe that a company with as much $ as M$ would hire relatively intelligent people. I would also like to believe that relatively intelligent people have a certain awareness of the implications of their actions, especially from a professional point of view, especially in computer science, where the code you write today may be executed millions of times in the future on different systems, etc...

So my question is this: Who are these people at microsoft that do these things? Do they put adds that read like this:

"Looking for qualified c++ programmer. Must enjoy hurting animals, pulling the wings off of flies, and implementing systems to damage the security of files containing secrets of people all over the world."

?

Doesn't it seem like they have no problem finding tons of smart coders to implement things that hurt people and threaten their freedom and security? Things don't look good for those of us who value of freedom in a world populated by people dying to work for microsoft...

___________________________
Michael Cardenas
http://www.fiu.edu/~mcarde02
http://www.deneba.com/linux

Re:Get around the license ... ?

[keil]

You're also not bound to a contract if you were drunk when you agreed to it. So maybe if you got drunk, agreed to it, then mumbled instructions to someone across the room to reverse engineer the protocol, which is a legal means of making a compatible system, then they wrote a spec and gave it to someone to write the code for it, it would be okay. Right?

Winzip 8.0 works. was: Re:It's a zip file

[fanatic]

On my NT box, I had to upgrade to Winzip 8.0 - the older version I had (7.0, I think) wouldn't work.

Re:It's a zip file

[fanatic]

Did you try it before you posted? I did - winzip on windows and unzip on Linux both fail.

Dirty trick.. or just a lapse? Or really dirty?

[Paul+Neubauer]

Time and again we've seen Microsoft "bashed." Most of the time they've earned it. But when another company does something not considered right (say, nVidia) it gets somewhat better treatment.

Now, I trust Microsfoft not as far one can comfortably spit a rat, but was there any call yet to verify if this was a lapse? "Slap on the usual license.." or such? I didn't see one. Not one, or just missed it. No astroturf, even.

I'm thinking it isn't a lapse and is something will have to sorted out by careful means. That is, the information obtained in a way that is legal enough to pass the lawyers, lest we have another DeCSS thing, the story of which drags on, despite the information having spread beyond any hope of containment.

And, being less charitable and more suspicious, try this on. Suppose the content is only partly right, by design. It will need verifying, or there will be much disinformation distributed, with a resulting more insidious incompatibility.

Re:Dirty trick.. or just a lapse? Or really dirty?

[Black+Parrot]

> What you can do is tell all your friends about what Microsoft is doing, especially those folks who work in I/T departments. Get them to understand why accepting a Windows 2000 deployment isn't in their company's long-term interest

What amazes me is that any company would still do any business with Microsoft at all after the Halloween Documents, with their unabashed recommendation of decommoditizing protocols as a technical solution to Microsoft's marketing problem.

When your vendor says "Sorry, but it's easier to compete in the marketplace by fucking you than to compete by producing a better product at a better price", then it is time to find another vendor.

It amazes me that they've sold a single box since that bald suggestion was publicized. Let alone now that evidence of them actually using the suggestion has been revealed to the larger public.

--

Re:Dirty trick.. or just a lapse? Or really dirty?

[tytso]

Now, I trust Microsfoft not as far one can comfortably spit a rat, but was there any call yet to verify if this was a lapse? "Slap on the usual license.." or such?

I admire your charity..... but this is definitely not your usual license. Calling it a trade secret, and then adding the deliberate amplification that you're not allowed to create implementations of the specification is definitely not a stock legal license. This was something very carefully crafted to preserve a monopoly situation with respect to implementations of their propietary extensions of an Open IETF standard.

This very carefully allows Microsoft to throw sand in the arguments of people who are complain that they part of the security protocols are secret, as Bruce Schinier recently complained. But at the same time, it doesn't allow anyone else to implement a compatible implementations. Obviously, they're still pissed that you can implement things like Samba, so that windows boxes can be served by Unix boxes. Windows 2000 is a way of trying to head that off.

What can people do? Posting the pdf file on various web sites, as some people have done or threatened to do, isn't particularly helpful. In fact, to the extent that it makes it harder for people who are working on reverse engineering the protocol to prove that they weren't tainted with information that came from a trade-secret contaminated source, it actually can be doing people a real disservice.

What you can do is tell all your friends about what Microsoft is doing, especially those folks who work in I/T departments. Get them to understand why accepting a Windows 2000 deployment isn't in their company's long-term interest, since it will eventually put them under the monopoly thumb of Microsoft. We can't trust the DOJ to protect us. We have to get the word out there, and protect ourselves. Remember, if you don't use Propietary Microsoft code, then you can't get caught by Microsoft's games.

Re:So what happens if...

[jerdenn]

Why do you refer to copyright? This doc is not copyright, it is a 'trade secret'. There is a world of difference between the two.

-jerdenn

No Matter.

[nihilogos]

... you must take reasonable security precautions,at least as great as the precautions you take to protect your own confidential information ...

Does this mean the RIAA can agree to the licence agreement, encrypt it using CSS, and sell it on DVDs?

Can you say "Circular Logic"?

[JSBiff]

There, I knew you could. ;-)

So what your saying is that Microsoft doesn't need to adhere to standards because the rest of the world isn't compatible with Microsoft because Microsoft keeps breaking the standards?

Re:Loophole?

[user]

I call your attention to a quote from Entrope's post which you ignored:

If you agree to treat certain information as someone else's trade secret and keep it confidential, there are minimal things you must do (regardless of how little you take care of your own confidential information, which you have the a priori right to disseminate). If you knowingly do less, you're still legally liable for violating that confidentiality.

MS says you must take precautions which cannot be less that those with which you protect your own data - it does *not* say, nor does it imply, that such protection (i.e. equal to that with which you protect your documents) is sufficient, merely that less that that is *certainly* insufficient.

Let's let A = "resonable security precautions", B = "the precautions you take with your data", and X = "the precautions you take with *this* data".

the license says:
you must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information

So... you must ensure (X >= A) && (X >= B). Note, then, that if (B = A).

-User

Re:Loophole?

[user]

(Sorry... cut off (user error))

So... you must ensure (X &gt= A) && (X &gt= B). Note, then, that if (B &lt A), you *still* have to take resonable security precautions, that is, ensure (X &gt= A).

-User

So what happens if...

[SEAL]

Say some anonymous individual decides to separate the technical specifications from the legal garbage, and distribute them on the web.

Obviously this person has violated the click-license agreement. But what happens if Jeremy picks up the stripped specs and implements them? Jeremy has agreed to nothing. So is he accountable? Is there something in the DMCA or other law which would place him in jeopardy?

Just curious,

SEAL

Re:So what happens if...

[Simon+Brooke]

However, suppose fifty people were to download it without agreeing to the licence (I just have, from http://warot.com/freedom/kerbspec.pdf), and each quoted just one paragraph on their web site (copyright law allows for the fair-use quoting of small parts of a document), and then suppose someone else later came along independently and made a Web page which linked to all those single paragraph Web pages, what law would have been broken?

As an example of what I mean, I have posted an example paragraph here

Re:So what happens if...

[Matthew+Weigel]

Obviously this person has violated the click-license agreement. But what happens if Jeremy picks up the stripped specs and implements them? Jeremy has agreed to nothing. So is he accountable? Is there something in the DMCA or other law which would place him in jeopardy?

You mean, like copyright? Owning copyrighted without ever having been licensed to do so? Modifying copyrighted works?

Just because the information contained in the doc is a trade secret, doesn't mean that the doc itself has no protection. It's no different from grabbing a Word doc of Ender's Game and throwing it on the web, sans copyright information.

Reverse engineer the .exe for "compatibility"

[twivel]

So when is someone going to bring out the good ole hex editor and extract the PDF without running the program?

Re:OUCH! Check this out...

[mcrandello]

I thought it was "Rubber baby buggy bumpers". Oh wait, your's must be the extended version. My bad. Cheque's in the mail :-)

Re:Not a trade secret

[Observer]

Indeed. And this time it's the owner of the trade secret who has made it available, in a public place, of their own free will, with precautions to maintain confidentiality that anyone familiar with the place would know are totally inadequate. And I don't think even MS's lawyers would have the affrontery to claim that the company was unfamiliar with the way things happen on the 'Net....

Fodder for the Anti-Trust Case

[sarhjinian]

Although everything surrounding Microsoft's anti-trust case has pretty much wrapped it, this would have been a nice addition to the "Stifling Competition" pile.

Question: Assuming that it's possible, is reverse-engineering Microsoft's Keberos extensions legal?

Re:Loophole?

[CSG_SurferDude]

What happens? /. gets sued, that's what!

What a Naughty boy/girl you are

Re:OUCH! Check this out...

[TheCarp]

Well IANAL but...

by obtaining it in this way, you have not actually
agreed to any licence. I don't think that "By
reading this" you can actually be held legally
responsible for anything...afterall...since its
part of the document, then there would be no way
to know the terms before you agree.

besides...you, the obtainer, have not broken any
law, except maybe copyright law....but...fair use
still applies (there was an mp3 article a while
back where both sides lawyers agreed that fair use
applies, regardless of whether the act of
obtaining the material is illegal)

As such...you could use it to add the info to the
kerberos spec :)

All in all it would just be best if someone
converted it to plain text and sent it to an
anonymous remailer - posted into usenet. (are
there still anonymous remailers that post to
usenet? sigh...I still lament the loss of
annon.penet.fi)

Laugh. It's funny!

[Steeltoe]

ANAL, but this is just too much :-)

Folks, let's stop trying dumb us self down to the level of lawyers here. This is actually the best thing that could happen, because it shows excactly what kind of monopoly Microsoft is. The mere fact that the company can be so arrogant as to publish their proprietary extention to Kerberos with a license claiming to be a trade-secret is something to laugh your head off, not be frightened of. I know the face of it can look scary, but wait a day and you'll see that this will only be Microsoft digging their own grave. They act like sociopaths wanting to be martyrs and be granted our forgiveness. Let's not be so naive and fall head over heels over a cheap trick.

A company may have trade secrets, and successfully enforce agreements from employees and third-parties that should not reveal them. However, you can't have the whole world as a third-party! That defeats the purpose of the trade-secret altogether since the disclosed information should only be known by trusted people. Once the information is out, it is public domain. Information and speech is supposed to be free, look it up in your Constitution. You may sue a few persons, but you can't sue a nation, not to mention the whole world!

This'll certainly show folks what the UCITA is really about and that click-through licenses are unenforcable and unacceptable.

- Steeltoe

"The DMCA is a perfect example of the harm done when business dominates government and society. One part of the law explicitly says that only commercially significant activities are considered important (to legitimize a program which is often used to bypass technological means of controlling the users)--showing explicit prejudice against educational uses, recreational uses, communitarian uses, military uses, and religious uses." - RMS

Re:Better than a patent

[Steeltoe]

Let's not forget who pays for all these suits, you and me (assuming you have purchased MS branded products). Now why don't customers demand the money better spent? Why do we buy from a company working against the public?
When did companies become the means to all ends?

You'll get the answers next week ;-)

- Steeltoe

Re:Better than a patent

[Steeltoe]

MS does like every company do namely counting each pirated software as lost revenue. It's hard to convince them, the public and courts otherwise without hard numbers, In fact, I'm unsure about the dynamics of this myself but anyone thinking piracy isn't promoting bussiness in some degree should have their head examined.

Personally I think MS Windows became what it was because "everybody" (PC Magazines, executives) wanted it. Now they got it, and then they start complaining. Clueless. You make the bed, you sleep in it.

- Steeltoe

Re:Loophole?

[Steeltoe]

"But that wouldn't be free!"

Hehe.

- Steeltoe

Re:Trade secret == open season

[Steeltoe]

Not according to Common Sense (tm), but I guess that's out of fashion nowadays..

- Steeltoe

Re:It's just proof

[gfxguy]

1 - Lot's of people that they've done nothing wrong when in fact, in the eyes of the law, they have. Not that I'm defending them here, but it is completely plausible that one could err and still believe they did what was right.

But I'm not just referring to the current situation - I'm referring to always. In it's whole existence. I mean, Bill Gates really justified per-processor licensing to himself. He truly believed he had every right to do it. It's only gone downhill since then.

2 - I think that Microsoft did indeed help the industry. They provided a low-cost common platform for people to develop applications for. Sure they bought it from QDOS or whatever, but if they hadn't would the people who had QDOS had thought to call IBM up and say "hey... i've got this operating system?" Doubtfully. It's not like Microsoft made it so that the Unixes broke apart in every direction in the publics perspective.

Well, this is always going to be a point of contention between people because we will never know what would have happened if Microsoft hadn't held back the industry for so long. There may have been some benefits to the industry from Microsoft, at one time (and then again, maybe there wasn't). But ever since they had the dominant position in the OS market, they have held back technology as best they could. That's not an opinion. The 386 was around for years before they even put in support for more than 1MB, and even then it was only because they were threatened with a very good competitor - DRDOS. And we have MS to thank for DRDOS' demise. That's not a matter of opinion, it's a matter of history.

And once again, it's gone downhill ever since.

3 - People DO love him. Microsoft, up until the past few weeks, was one of the surest picks for year over year growth, profits, etc... Look at where $1000 invested in Microsoft 15 years ago would be today. Compare that with Apple, Novell, IBM, etc... For that reason, investment managers do love the company and him, since upuntil recently he ran it.

But it's also true that MS is succesful despite itself, not because of itself. Besides, investors may very well indeed love Bill Gates, but knowledgeable computer users do not. It always seems to come down to people who are making money. They love Bill Gates. All the people who invest in the company, all the people who provide support, those IT personel.

Then, on the user side, all the people that side with Bill Gates are the ones who think they are saving big bucks by having applications bundled with their computers. Sure, Bill is great - I didn't even have to download a browser from anywhere, let alone buy it! I love Bill!

But this is an unarguable point, so I'll call it a draw.

Cheers.
----------

Re:It's just proof

[gfxguy]

And of course, DesqView386 offered true multi-tasking on the 386 processor, taking advantage of all the new capabilities of the processor while maintaining 100% compatibility with DOS applications. About 10 years vefore MS got around to it...

Very true! To be fair, there were lots of third party products to access extended memory, and add multitasking ability (as you point out).

All were Microsoft innovations, though. Bill Gates says so.
----------

It's just proof

[gfxguy]

That Bill Gates is truly psychologically challenged.

I mean it, really. I think he honestly believes that:

• He has done nothing wrong.
• Microsoft has propelled the industry far beyond where it would have gone without it.
• People really love him, and will rally to his cause before letting the government hurt MS.
• What MS does is innovating.

I honestly believe he has a god complex.
----------

Re:It's just proof

[um...+Lucas]

1 - Lot's of people that they've done nothing wrong when in fact, in the eyes of the law, they have. Not that I'm defending them here, but it is completely plausible that one could err and still believe they did what was right.

2 - I think that Microsoft did indeed help the industry. They provided a low-cost common platform for people to develop applications for. Sure they bought it from QDOS or whatever, but if they hadn't would the people who had QDOS had thought to call IBM up and say "hey... i've got this operating system?" Doubtfully. It's not like Microsoft made it so that the Unixes broke apart in every direction in the publics perspective.

3 - People DO love him. Microsoft, up until the past few weeks, was one of the surest picks for year over year growth, profits, etc... Look at where $1000 invested in Microsoft 15 years ago would be today. Compare that with Apple, Novell, IBM, etc... For that reason, investment managers do love the company and him, since upuntil recently he ran it.

4 - No argument from me here :) All they seem to do is sit back and wait for a good idea to spring out of silicon valley, buy the company or destroy the company, and reimplement that technology in windows or office.

Re:It's just proof

[NMerriam]

I guess Windows 386 (1987) was a figment of my imagination.

Nope, it was real. It just didn't do multitasking (task switching at best), and MS didn't have a multitasking OS until OS/2-WinNT in the 90's. Didn't have a multitasking consumer OS until win95 (arguably) or Win98.

Re:It's just proof

[Black+Parrot]

> About 10 years vefore MS got around to it...

Innovation isn't the kind of thing you want to rush.

--

Re:Is "Kerberos" trademarked?

[acfoo]

It is a DEAD Trademark:

Typed Drawing

Word Mark: KERBEROS

Goods and Services: (ABANDONED) IC 009. US 038. G & S: computer software and instruction manuals, sold as a unit, for use in authenticating participants in computer networks. FIRST USE: 19860306. FIRST USE IN COMMERCE: 19900614

Mark Drawing Code: (1) TYPED DRAWING

Serial Number: 74251246

Filing Date: March 2, 1992

Published for Opposition: February 2, 1993

Owner: (APPLICANT) Massachusetts Institute of Technology CORPORATION MASSACHUSETTS 77 Massachusetts Avenue Cambridge MASSACHUSETTS 021421324

Type of Mark: TRADEMARK

Register: PRINCIPAL

Live/Dead Indicator: DEAD

Abandonment Date: July 11, 1994

Those entrpeneurial might want to get it and use it as a stick against M$ (or against SAMBA if you're evil).

Open Standards License?

[Life+Blood]

What we need is some way to license protocols so that they can remain legally enforcable open standards. An Open Standards License. Under such a license, any extensions to the standard would have to be documented and open as well. Seems to me this would be a good thing, but I don't know if there is any way to do it in current law.

Re:Get around the license ... ?

[zaphod.nu]

Well, he can't agree to the license since he is a minor.
But that would only make his gaurdians responisble. IE, his parents.

.sig
Note that these are my personal opinions, they are just as faulty as anyone elses.


.sig

yr .sig

[daemonchild]

hate to be nit-picky, but you're missing a bracket ...

(I thought so : ))

unless, of course, you *meant* for just the bare colon ...

and yes, i do code in lisp frm time to time

Review the SPEC and critique the details!

[mrolig]

I will quote the Microsoft web page "Microsoft invites third party review and validation of this implementation so that Microsoft's customers and development partners can be assured that the implementation of Kerberos in Windows 2000 is within the letter and spirit of the specification." So go REVIEW the spec. Discuss ALL the details and say why it sucks!! For sure every one will learn how it works. A publication on the internet of your review MUST be legal if they are asking for third party review to assure customers. They're asking for you to disclose the information for them!

Re:It's just a CAB file - Mods?

[ChadM]

this should be modded up.

of course, i have this weird feeling deep down inside my mind that the DMCA won't be with us much longer, at least if it is it will be pared down.

Re:can this be bypassed?

[brokenin2]

No, the secrect can't really be protected, but the contents of their document can be by copyrighting the document (which they've done)

It seems to me that most people are missing how dirty and underhanded this move really is on Microsoft's part.

Reverse engineering their software to figure out how to impliment this in an open source project, is still a totally valid way to go. You can't use their document to find out, but you can reverse engineer a solution. The problem is, they're flooding the planet with the information intentionally to taint the pool of people to reverse engineer it !!!!!!!!!!

Now what happens is that someone wants to create software to work with M$'s software, so they start learning what they can about the protocol. They immediately run across this document and take a look at it.. oops, they are no longer available for the reverse engineering effort.

Some day, when enough people actually manage to get this thing reverse engineered, without having looked at the document, then they're stuck with trying to prove that they never got a single hint anywhere anytime in any way from that document. That means no hints from anyone in a newsgroup that read the document, about anything about the protocol, it's weaknesses, it's fundamental design, or even probably how many bits the encryption they're using is.

Microsoft has learned their lessons well with regard to reverse engineering... You can make it hard by not giving out any information, or you can make it impossible by giving it all out but writing nasty license agreements. What the samba team did with the NT PDC code, Microsoft thought was impossible... This time they're not taking any chances on it.

Re:SAMBA in binary.

[brokenin2]

...but make sure that you write the new samba license so that reverse engineering is illegal for Microsoft.. that way you'd have a great counter suit opportunity..

Re:Defeating Trade Secrets 101:

[RickHunter]

No, you don't seem to understand. The GPL grants you EXTRA rights, but only if you comply with some limitations they've placed on those EXTRA rights. The Microsoft lisence, on the other hand, removes rights in a non-negotiable way without you signing any kind of contract. One is illegal, the other isn't. Guess which is which.

-RickHunter

Re:Defeating Trade Secrets 101:

[RickHunter]

Remember. Just because lawyers say its legal doesn't mean it is. A lot of corporate lawyers put things together and claim they're legal (like shrinkwrap lisences), when really they've little if any power. Of course, that changes under the DMCA and UCITA, but since both those laws pretty much take every law and legal precident for the past hundred years, study them closely, then go and do exactly the opposite...

-RickHunter

Re:Loophole?

[Sun]

WOW!!! Stop right here!!! You all realize that MS views that as a trade secret. We all think this is silly - but that's not the point. If you want to find a way to get the info without agreeing to the license, that's fine. If not - don't intentionally be negligent. If not out of respect for the law, at least because the "Other" guys read these comments as well. I think it is totally legitimate to try and find out what the protocol is. I, for one, am not going download it, or do anything else that binds me by their license. If anyone else feels like trying to find out what it is without pressing "I agree", or getting it from someone who doesn't care about the law, feel free to email me. I have just stopped reading these comments. Shachar

Re:Loophole?

[Superunknown_GP]

This is a bad and wrond solution to this. Interoperability will not be achieved by breaking compatibility with Win2K. I think the solution to this is to "clean room" it by sending it to someone in some Eris-forsaken republic ending in -stan, and having them remove all the trade secret/licesening information, and sending it back to someone here in the U.S. Therefore, you can say that there was no license on the version you read. Then someone can implement it based upon that version.

I think this sort of thing would be the best solution to the Microsoft case-force them to base everything on every layer on open standards. Then anyone could compete with them in any product area. Think you can write a better kernel tham M$? Go ahead. You'd have to start from scratch, but you could make it completely compatible. The other half of the solution, of course, is that you'd have to force Microsoft to charge the same price to everyone, thus negating their power over the OEMs.

Just my $1.00/50

So...

[AsbestosRush]

If I own an open source company like RedHat (or a similar company that has no proprietary code and is publicly held), then I could distribute this code like I would any other "sensitive information"? (of which I would have none, right?)

Re:Loophole?

[B'Trey]

Because the requirement is that X be >= the larger of A and B. If A = 5 on some scale of security but you have supertight security on your own trade secrets, such that B = 1000, you must protect the MS "trade secret" at 1000.

i hate to get technical, but

[DrEldarion]

i believe it's Cerberus...

-- Dr. Eldarion --
It's not what it is, it's something else.

wow, THAT'S hard to get around...

[DrEldarion]

well, gee, lemme think... someone will get it, go to a library or other such place, post it somewhere, then everyone and their mom will mirror it...

-- Dr. Eldarion --
It's not what it is, it's something else.

Maybe that's what they want

[scruffyMark]

Bill: "Why, your honour, we released the specification, with a contract stipulating that it was to be used for the sole purpose of security testing. However, malicious hackers managed to obtain the specification without agreeing to the conditions, and began implementing their own versions. We did our level best to embrace the open source movement, but we only got burned."

Or am I just being paranoid?
Ha ha ha! Sorry.

Re:Does this hamper legitimate reverse-engineering

[epukinsk]

> WIPTBIOW WTHITSTM? SOTAGOOH. -Erik P.S. (what the hell is this supposed to mean? Some of these acronyms get out of hand.)

Re:hello

[|0|4]

"Please review this Specification copy only if you licensed and downloaded it from Microsoft
Corporations website; if you did not, please destroy this copy, but you are welcome to license the
Specification at http://www.microsoft.com/technet/security/kerberos .
If you are an authorized licensee, when you downloaded the following Specification, you agreed
to the Agreement for Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000
Operating Systems (the "Agreement"). For your future reference, that Agreement is reproduced at
the end of this document."

This strikes me as a bit odd. 'Cause I can go to their site and download the .exe without agreeing to anything.

So, basically, we have a licence agreement to which we are assumed to have agreed - before we were aware that any such agreement even existed.

Doesn't this remind anyone of the 'shrink-wrap' EULAs on most laptops and PCs lately? 'By opening the package, you agree to the EULA contained within the package' kind of stuff.

IANAL, but doesn't this strike anyone as just a little bit unenforceable? It's the equivalent of asking you to sign your name at the bottom of a contract, before you're allowed to see said contract. Which is, I believe, not legal.

- |0|4

Re:Logic flaw

[jabkie]

no.. since you release your code, that is not your "confidential information." your confidential information probably includes things like your important passwords

but IANAL
--

Re:Not for interoperability!

[rcw-home]

Microsoft does not grant you any right to implement this Specification.

Luckily, we've put the constitution in charge of granting us rights rather than Microsoft.

Re:Not for interoperability!

[rcharbon]

Does that mean I can't install Win2K if I read it?

Blame Intel

[rcharbon]

"Because of all the horrendous assumptions they made years ago (ie, Who will ever need more RAM than 640k)"

The 640K limitation was due to the processor architecture, not Microsoft.

/. easy to assimilate?

[ronmlgaw]

Is it really this easy for Microsoft to assimilate even as intelligent (albeit less paranoid than I) a crowd as slashdot?

Who really wants or needs the MS standard? I believe they realized right away what a mistake they made when they altered the standard. There are other choices for encryption, there are other models to use to get around the requirement, and there is no practical value to what they have done. Sure, some admins may have Kerberos in place with Unix and would like to link Samba using Kerberos, but how many?

No, if MS wants to see acceptance of a standard in the IT environment, they need SOMEONE ELSE to implement that standard for them. That strategy would be blatantly obvious if they simply released their (un)standard, so they released it a way that appealed most strongly to those who want to take away MS's power over their IT lives. Now someone will go and implement the MS (un)standard on SAMBA, MS will have another publicity target to say someone stole their Trade Secret, and many IT professionals will find it easier to implement Win2000 into their Kerberos-encrypted networks.

One other thought: Could this be used, much like the deCSS suits, to stop distribution of SAMBA as a tool of piracy if tried in the same (clueless) court in California?

Min. Requirements: 64M RAM, 450MHz Pentium, 65k bugs, 500 Meg install, 2 Month waits for security patches, paying an extra $105 per system, and a daily revision of world-wide standards. Modern innovation delivered to the masses.

Re:Loophole?

[scott@b]

Perhaps do something such as leave the PDF on a machine running one of several Microsoft programs that make your drive public on whatever network you are connected to...

Aren't they State Laws?

[rynoamy]

Aren't trade secrets enforced only by state laws? If so, if I download it here in RTP, NC (from their site in Redmond, WA--the point being that it's across state boundaries, which two states are not really important), isn't it now unenforceable as a trade secret? States aren't obliged to enforce each other's laws (otherwise why would each state bother to have it's own legislature??). Anyway the only thing trade secret laws allow you to do is sue somebody for damages if they reveal it (AND agreed previously to protect it as a trade secret--this being the point of an NDA--as this license appears to be trying to get you to do).

Of course, I suspect they might be able to use a few provisions of DMCA to enforce it, but somehow it just seems.. well.. weak. Why bother?

But then, IANAL ...

Re:Defeating Trade Secrets 101:

[helo]

but the license is a copy protection device, and the DMCA forbids circumvention of a copy protection device. you can use WinZIP to circumvent the license, so you are circumventing a copy protection device, which is illegal.

-helo

Re:Defeating Trade Secrets 101:

[Dahan]

Right. Copyright is for published material.

From http://www.loc.gov/copyright/circs/ci rc1.html:

WHAT IS COPYRIGHT?

Copyright is a form of protection provided by the laws of the United States (title 17, U.S. Code) to the authors of "original works of authorship," including literary, dramatic, musical, artistic, and certain other intellectual works. This protection is available to both published and unpublished works.

Re:Defeating Trade Secrets 101:

[Dahan]

Since when is a computer communications specification art?

Doesn't actually have to be art... from http://www.loc.gov/copyright/circs/ci rc1.html:

WHAT WORKS ARE PROTECTED?

Copyright protects "original works of authorship" that are fixed in a tangible form of expression. The fixation need not be directly perceptible so long as it may be communicated with the aid of a machine or device. Copyrightable works include the following categories:

• (1) literary works;
• (2) musical works, including any accompanying words
• (3) dramatic works, including any accompanying music
• (4) pantomimes and choreographic works
• (5) pictorial, graphic, and sculptural works
• (6) motion pictures and other audiovisual works
• (7) sound recordings
• (8) architectural works

These categories should be viewed broadly. For example, computer programs and most "compilations" may be registered as "literary works"; maps and architectural plans may be registered as "pictorial, graphic, and sculptural works."

Would never be upheld in court...

[DNAGuy]

Trade secrets are required to be "secret" in order to be considered as such. Microsoft's own Encarta World English Dictionary defines a trade secret as follows:

trade secret (plural trade secrets) noun

1. company's secret: a secret formula or technique that is used to make a product, known only to the company that manufactures it

2. secret: any secret (informal) Which shampoo do you use - or is it a trade secret?

There is precedent behind this. The courts require that a company take reasonable measures to prevent the dissemination of "trade secrets" if they are to be protected as such under intellectual property law. If not, the information may still be copyrighted, etc., but no longer qualifies as a trade secret.

This is a very important distinction to make. For example, CmdrTaco could declare Slashdot a trade secret, and sue you in civil court for stealing when you viewed it without permission. However, the courts would rule that the trade secret law did not apply because he had not made reasonable efforts to keep the information within the confines of his company. His copyright, however would still apply, so those stealing and reusing his work as their own without permission would still be liable.

As an aside, I'm an NTBugTraq subscriber and I've paid reasonably close attention to the discussion of the differences between Microsoft's implementation and the Kerberos specification. I have been of the understanding that Microsoft has not, in fact, violated the specification, but that they have added several features not included therein. This is similar to what they did with J++, where it actually surpassed Sun's implementation of Java at the time (according to Sun's tests) but added several features specific to Windows and not included in the specification.

There are those that would say that this sort of extended implementation equals non-compliance. For what it's worth, I disagree. I say, forget the religious issues. If you don't want to use the extensions, don't. Microsoft's platforms will still integrate into your solution. That's compliance in my book.

Re:Better than a patent

[ryanw]

I agree with you 120%! Seriously. What is the KEY reason Microsoft is on just about EVERY desktop in the world? You think it's because their product works well? You think it's because they were inovative? Of course not!!

Here at slashdot, we know better.. right? =)

But the reason that Microsoft's products have infected the world like a plague is because they ALLOW their programs to be coppied and pirated. I think the PIRATE communite is to blame for Microsoft being on everyone's desktop.

Microsoft's marketing team was right on the money! Have a few people buy it initially, make it easy for them to "SHARE" it with their friends, get it on everyone's desktop... once it's everywhere goto OEM Sites to have it include it with their hardware because you can PROVE that YOUR PRODUCT IS WHAT EVERYONE USES, so they need it included with the hardware. And BAM.... We see microsoft as it stands today.

ALL Due to pircay and lack of good copy protection schemes.

I'm sad that we all fell for it. We thought we were getting away with getting free software, where infact we were helping to build the ultimate evil empire.

Ryan

PRINT IT, SEND IT TO YOUR CONGRESSPERSON

[NetBoy]

Copy the page, send it to your congressperson.
This is a classic example of abuse of
monopoly power.

Re:Loophole?

[istartedi]

Yawn... has anybody printed it out on a T-shirt yet?

Re:Defeating Trade Secrets 101:

[geekoid]

-- Oh, wait, I forget ... the only people who read slashdot anymore are corporate zonks who slave away the hours under MS-Windows by day, run Linux and pretend to be revolutionaries by night.
I don't know if you ment it as a troll, but I'm offened by that statement. I will not force you to remove it(even if I could), but it does smack of troll dung.

Re:Trade secret == open season

[jeff_bond]

So Microsoft are not granting you the right to implement. Maybe you had this right all along. Microsoft's wording here does not say they are removing any of your rights, it just says they are not giving you additional rights.

Jeff

Re:Did Micro$oft have to do this.

[jlrobins_uncc]

Simply splitting the Office group away isn't going to stop Microsoft from playing dirty tricks in the client/server OS space, just as they've done here.

Not directly, but by creating a separate company that markets Office which may be well inspired to sell their Office product(s) to more than one OS, one can hope that one would have less of a need for the other company's client OS products, then significantly lessening the desire to own the other company's server OS products, including the ugly red-headed mutant bastard child of K5 servers.

Add to the list:

[DerFeuervogel]

Gates sees him self as: a visionary who is somehow endowed with a mandate by his sheer genius as to how to lead the computing world into the 21st century. Of course that mandate needs a revision from time to time when reality is out of sync with previously published predictions. "The Road Ahead" comes to mind.

Put another way: Stuck in a world where his power is unquestioned even Gates believes the dilutions that come into his mind. Reality is not an option. To think this whole DOJ issue could have been resolved without:
1. Loss of face my Microsoft
2. Loss of stock price
3. Any changes in corporate behaviour
4. Certain continued growth for NT on the server side
And much more had this megalomaniac only gave a little when the DOJ came a knocking.
But true "visionaries" lost in a world of their own creation will never see that. -DF

Re:Oops

[br4dh4x0r]

haha

i give up

pity me,
br4dh4x0r

Getting around the licence

[mrquinn]

I would advise anyone who is thinking that by getting around the licence they are not subject to the licence to go back and read the documents regarding the DVD trade secret violation suit in CA. They make it clear that if you know that a licence exists and you deliberately go around it that is no excuse.

Perhaps someone in Maryland could ignore the lisence because the UCITA states that click through licence terms are enforcable. But the UCITA is not in effect yet. This would imply that the law is needed to make those terms enforceable.

Re:The license is still all over the damn thing

[Frank+T.+Lofaro+Jr.]

Even if click-thru or shrink-wrap licenses are valid doesn't mean a license which you merely read is valid. See, you need to take an intentional action (clicking or opening a package) in the first case which could (especially with UCITA) be considered like signing a contract. But merely reading a license agreement doesn't bind you. (Disclaimer: I am not a lawyer). Imagine if merely reading a contract bound you to it in the real world. That is too far out for even most judges to go.

That being said, if you don't agree to the license you get no rights under it. So you would be left with all the rights and restrictions granted and imposed by copyright law, including fair use, but also including not being allowed to redistribute. You likely could implement off the spec (using ideas from a copyrighted work may be fair use or not in the scope of copyright, but if it is considered a derived work, then you could be considered infringing).

As for the DMCA, if the EXE is considered a copyright protection measure, then distributing a tool to break it is illegal (could WinZIP get in trouble, probably not, it has other uses which are more important), but breaking the protection yourself is legal until October 2000.

Re:Ignore Microsoft's release, don't break license

[Frank+T.+Lofaro+Jr.]

I think there are 2 other options. Consult a lawyer for real advice:

1. Seek "declaratory judgement"
2. File a lawsuit enjoing enforcement or to have the law declared unconstitutional

Re:Trade secret == open season

[Frank+T.+Lofaro+Jr.]

UCITA isn't law yet. There is a moratorium on its going into effect in Virginia. Maryland is still considering it, as far as I know. It isn't law in any other state (yet). Also, even if a click-thru license is validated, that says nothing about the case where you can still use the product without agreeing. If you click Yes, you could be bound. But if you can still get it to work some other way you might be off the hook. I am not a lawyer, but I know that many times defendants get off on technicalities like this. Plus I think there are very low damages possible even if there are violations. I read UCITA, and it seems to be about breech of contract, actual damages and actual profits. No mention of statuatory and punitive damages. Consult a lawyer for real details. Compared to the DMCA, UCITA is much less dangerous (but still very dangerous none the less - but the current situation isn't very free - I think Kentucky has held shrink wrap licenses valid for years)

M$ is of the devil

[laugau]

Guess what, the license agreement is also part of the document, open the spec and you are bound by it. Damn, my eyes...

Re:Ignore Microsoft's release, don't break license

[kfg]

>Until a lawyer comes along and officially says that Microsoft's attempt at doing an orwellian double think specification release runs afoul of the law, leave this stuff alone.

There is, I'm afraid, a very fundamental flaw with this argument. VERY fundamental.

A lawyer cannot officially say that anything is illegal or not. A lawyer can do nothing but *argue* the legality in front of a judge. Only a *judge* can officially rule on legality.

What does a judge need to render such an opinion? A pending case.

All laws and contracts, no matter how blatantly illegal on the surface require that someone, 1: Break said contract or law, and 2: Get prosecuted for the violation.

So, at minimum, at *least* one person needs to not "leave this stuff alone" for it ever to be officially declared afoul of the law.

Review the Scope's trial for a full understanding of this, or perhaps the story of Rosa Parks. Ms. Parks had to FIRST refuse to move to the back of the bus, THEN a law could be legally reviewed.

The entirely modern idea that laws should be obeyed no matter what until overturned by strictly legislative action is not only wrong, but actually antithetical to the entire political and legal foundation of the United States. The system is actually constructed in such a way that it virtually requires, *as an act of GOOD CITIZENSHIP*, that in certain circumstances people break the law. Even moreso with meer issues of contractual law.

What's more, this is not an accident, it was built that way by the founding fathers on purpose.

Re:Ignore Microsoft's release, don't break license

[kfg]

Ah well, that's different then.

If you go back and read your own post though, you'll find that that's not what you said.

This last I tend to agree with, with the caveat that a lawyer can still only advise on the his opinion of the merits of the case, and whether he'll take your money or not. He's likely to take your money in a case such as this whether he thinks the case has merit or not.

In any event, this is surely new ground here. Just as Rosa Parks was new ground. A lawyer probably would have told her it wasn't a big deal and to just go to the back of the damn bus already.

Not a troll

[daemonc]

I am not trying to be a troll. I am completely serious, although it was intended to be somewhat humourous as well. Microsoft's time has passed. Their monopoly is going to be broken up. They have nothing left to contribute to the world of computing. They already lost their hold on the server market to Linux. At this point they can either go out quietly, or do as much harm to their unfortunate customers as possible by trashing their weight around as they die.

It can still be used in SAMBA...

[spoonboy42]

If we only have to take precautions equal to those we take for our own confidential data, why not just set up a windows box with ALL files shared over gnutella. Then just throw a few love letters in my documents (personal confidential data) and share the Microsoft docs. Problem solved! ;)

Trade Secrets do not equal "open season"

[filbo]

The post equating trade secrets to "open season" is wrong on all points.

Remember, you're allowed to try to *obtain* a trade secret, and once you do, if you haven't agreed to anything, it's no longer a secret.

This is not true. Under the Uniform Trade Secrets Act, which has been adopted by many states, including Washington, a trade secret retains its status as long as it is the subject of reasonable efforts to maintain its staus as secret. So, if I have a trade secret in a file on my hard drive, which is password protected, and you steal my password and copy the file off my drive, you have misappropriated my trade secret. The fact that you didn't "agree" to anything is irrelevant.

Trade secrets enjoy very little legal protection, unlike other kinds of information. They can't sue you for infringement, for instance.

Again, totally incorrect. The Uniform Trade Secrets Act provides for injunctive relief, monetary damages, and exemplary damages up to two times actual damages, plus the possibility of recovery attorneys' fees. See, e.g., California Civil Code sections 3426.3 and 3426.4.

So, if someone is able to *extract* the information from the .exe, without running it or agreeing to anything, that's well and good.

No, that's a good way to get your ass sued.

Re:Trade Secrets do not equal "open season"

[filbo]

A "trade secret" is quite different from copyright, patent, etc. A trade secret is information that the holder derives economic value from because the information is a secret. Customer lists are a perfect example. A business has a list of customers it knows have a need for a particular product. That business can focus its marketing efforts on those customers, while competitors may have to market to a broad audience because they don't know who has a need and who doesn't. Reverse engineering for interoperatability implicates copyright and patent concepts more than trade secret concepts. If you put a piece of software on the market and I figure out the algorithm you used to do a particular task, I haven't "appropriated" your trade secret. But if I bust into your office and steal your source code, I have. My point was that the mere fact that you didn't "agree" to keep something secret doesn't preclude liability.

Re:Trade Secrets do not equal "open season"

[radja]

not in europe, where it is specifically allowed to reverse engineer for interoperability, ie reading a document through a different reader, cos none is available for your OS.

//rdj

Re:Loophole?

[fedos]

Well, you know that File and Print Sharing is a vital part of all intranets. :)

Seriously, though. I have Microsoft's Web Server installed on my system (I thought it was necessary for running InterDev). What if you know what my IP address is and you access my machine. The PDF is just has secure as the rest of my data, am I breaking the agreement?

Re:Trade secret == open season

[Stary]

However, there is a short license agreement at the bottom of every page and the full agreement on pages 11 and 12.

Does this mean I can publish something on the 'net and put "You have to pay me $100" on the bottom of each page, put my "full agreement" containing how to get the money to me on pages 11 and 12 and then every poor sucker who happens to read it has to send me the money? Since when could you agree to something by simply reading?

Re:And we're the press now, too.

[[docgui]]

That was just one example of the press. I believe BYTE railed against this embrace and extend bit as far back as late 1997 when it was still to be called NT 5. They continued to dish out this critism on everything from it being a potential security hole to the lack of interoprability.

Other more recent bits came from ZDNet this week and hints of it in 1998 I'm sure if anyone spends more then five minutes they could find better examples.

Back to LiuxWorld being an example of the press. It is part of Internet journalism. What I think you were refering to was its potential bias and a possible lack of neutrality. Sometimes your rivals give you the best critism. NetWare marketing made this an issue as well, but in the end the information source dosen't matter as long as it is factually correct and independently verified. Maybe if enough pressure is brought to bear on MS they will drop the things that are making them incompatible with proven network security standards.

docGui

What a load of three-headed...

[connorbd]

You know, the truth is that I simply don't buy their licensing terms. "Treat it as a trade secret" my USB port -- that's like telling a little kid not to touch the cookie jar when they didn't even know there was something in there.

It's legal FUD, no more. I'd just love to see someone work up the nerve to challenge it (anywhere except Virginia, of course).

/Brian

Re:Full text

[pugugly]

Notation Regarding the term Trade Secret -

A Trade secret is based on the 'Owner' taking reasonable precautions. I don't think you can 'license' a trade secret as such - once you do, it's no longer a trade secret. Indeed, according to 'praireelaw' it's the employers responsibility to conduct exit interviews regarding what is considered proprietary. Trade secrets cab be developed independently, and there's no protection (Think Shipstones from the Heinlein book 'Friday'). Trade secrets are (by definition) not public knowledge. I think trying to put up a 'genersl public license' for a trade secret is contradictory.

Of course, between the thrice-damned DMCA and the UCITA acts which practically allow Software companies to write their own laws regarding intellectual property, who knows . . .

Seems awfully unfair for Corps to limit those laws to Software. I'm sure lots of manufacturing companies would like to have that capability too -
"The safety features of this car are proprietary and licensed rather than sold. No guarantee regarding the safety features is expressed or implied for any particular set of circumstances. Any attempt to reverse engineer or otherwise test the features of this car will be considered a violation of the Chevrolet(TM) licensing agreement, unless implemented by licensed chevrolet engineers familiar with the current implementations of Chevrolet Safety Features (TM). Some Portions of this License Aggreement may be void in Idaho . . ."

This has been a test of the Slashdot Broadcast Network . . .

Re:Ask a judge how many laws are illegal.

[Cryptnotic]

All laws are legal, by definition.

However, in the United States at least, there is a thing called "judicial review", by which the supreme court can declare a law to be "unconstitutional", which means in violation of the constitution of the United States, and thus invalid.

Potential workaround

[Inquisiter]

This is a pretty sly way to enforce a licencing agreement. Maybe this is an equally sly workaround. The key is that the user is only required to agree to the agreement if they read the agreement when they run the program under windows. If someone could hack up a perl program to extract the pdf, we wouldn't be prompted to, or required to agree to the licence (Unless the agreement was also inside of the document :( ). If this could be hacked together, the spec could then be used by the samba team. There is no reference to any agreement on thier web page, and I downloaded the bits without agreeing to anything. Now if I could only extract the document without agreeing to any agreement. What do you think?

Disclaimer: IANAL

"F*** them... and their law"

[dash2]

Bypass the endless wrangling about how you might get round the license by rewriting it, crossing state boundaries, reading it in a mirror at midnight by the New Jersey turnpike et cetera et cetera.

Just use the specs to develop a solution. Do it anonymously (anyone know who is developing Gnutella? thought not) Then distribute it. End of problem.

Dave
----------------------------------
What are the weapons of happiness?

Did Micro$oft have to do this.

[Glowing+Fish]

Could everyone please forgive my ignorance, but did Micro$oft have to do this? Was making propietary extensions to a GPL, or otherwise OpenSource protocol, in someway illegal for them to do, or was it just considered in bad taste?

Because if they did do something against their license, then they really can't pick and choose how they are going to follow their license...they either have to do it or not.

If however, they only did something in bad taste, and wish to make up for it, then we really can't argue too much with what they did...besides to say it is still in bad taste?

I imagine that Micro$oft didn't consider this manner to be that important, they must have known this kind of documentation would be leaked quickly enough. Or else they just don't know about Slashdot.

Re:Did Micro$oft have to do this.

[TheMCP]

The legal problem with what they're doing is that they're deliberately making their software non-interoperable with published standards. This seems to indicate that they're trying to use their monopoly position to exclude competition, which is illegal.

Got it?

Re:Did Micro$oft have to do this.

[tytso]

The legal problem with what they're doing is that they're deliberately making their software non-interoperable with published standards. This seems to indicate that they're trying to use their monopoly position to exclude competition, which is illegal.

Yes, that's it in a nutshell. The game here is that they're trying to use their monopoly in the desktop space to dislodge Unix in the server market. One of the ways they do this is by making the Windows 2000 PDC "look" like it embraces open standards, so that the I/T departments in Fortune 500 departments (which up until now have very often used Unix/Linux systems in their back offices) think that using Windows servers, and the Windows 2000 PDC in particular, is mostly harmless.

But the Windows 2000 clients have been architected so that you only get a bunch of cool features if you use their propietary protocol extensions. So it's clear that Microsoft is trying to create a monopoly situation with the Windows 2000 PDC, and once they control enough of the servers, they'll have an even tighter lock on the client market, and vice versa.

In my opinion, the DOJ really should have proposed splitting Microsoft's OS operations into a Client OS company and a Server OS company, in addition to splitting away the Office operations. Unfortunately, given that they've already submitted their proposal, it may be too late to fix things. Simply splitting the Office group away isn't going to stop Microsoft from playing dirty tricks in the client/server OS space, just as they've done here.

Re:Loophole?

[varcher]

Well, having signed nothing and and clicked nothing, anyone who did this is not bound by any license agreement. The "illegal" part does not exist. As far as I know, it is not illegal to read anything, except those documents covered by military classification.

So, the only recourse from Microsoft is to claim that this material was stolen from them. Which is kind of hard, since it was downloaded from a public portion of their site.

Thing is, there are probably as many loopholes for and against it that it would be a very interesting legal battle :)

Re:Trade Secrets only as long as they're secret...

[MattBaggins]

Would you believe somone emailed me a TXT file that seems an awful lot like specs for Kerberos. Strange thing is that there are no licenses or warnings on this file at all. I have no idea if this is the MS trade secret document as I have not looked at the the MS document. I do not have windows so downloading it would not be legal or possible. I imagine this must be a hoax as no one would strip the legal claimers out of a document now would they? If anyone would like to see this document and verify if it is authentic or not, email me at mspragu1@oswego.edu

Re:Not for interoperability!

[Ascender]

the Specification is provided...for the sole purpose of reviewing the Specification for security analysis.

And later: Microsoft does not grant you any right to implement this Specification.

How exactly is "implement" defined?

Would it not be possible to use something like a packet sniffer, and watch a w2k client doing some negoiation? Then, you could be sure whether or not what microsoft made was actually what they claim to have made...

Then, you could pull a Compaq of reverse-engineering it with hints, maybe?

From the MIT page...

[Pinball+Wizard]

>> I personally wonder about this myself. I have seen references in "The Devil's Dictionary" that claim it is Kerberos, but when I checked this myself I only found the "Cerberus" variant.

I never actually heard of the "Kerberos" spelling/pronunciation until I got involved with Kerberos myself.

From: Tom Yu

"Cerberus" is the Latin spelling of the Greek "Kerberos", and according to the OED is pronounced like "serberus", but that is quite at odds with the Greek, as the initial consonant is a "k". MIT Project Athena chose to use the Greek spelling and pronunciation.

From: Jan Sacharuk

Tom Yu is correct, Cerberus is the Latin spelling. However, the fact that the OED says that the 'c' is pronounced as an 's' is an English affectation. In Latin, the letter 'c' is always hard. So Cerberus is pronounced 'Ker-ber-ous'. The letter 'u' is also slightly different, making it somewhere in between 'oos' and 'ous'.

Re:Logic flaw

[revelation0]

Well, you can make this statement only by the assumption that we do consider the source that we are opening up "confidential", which most of us probably don't. My new recommendation is this, which I will also propose to those on the samba dev team and list -

Build (maybe fork?) a new version of samba which complies with the new standards set by this document. Publish it under a different name (GPL'd of course) anonymously overseas for those wishing to intergrate other *nix servers on their windows network.

The only reason I deem this remotely necessary is because of Microsoft's conduct in all other fields, and I'm sure most will agree. If we do allow them to take this format, make it proprietary, killing all interoperability, there are those corporations who will begin the migration and be stuck with a Microsoft exclusive platform. WHY allow this, when we have the means and the resources to defeat it? If working in a corporation, and I wish to install a new file server and choose some random linux distribution to do the job, only to find out that it won't integrate with our current network because of the standards imposed by previous system admin's, there should be some way out. Standards and interoperability have created a boom in the computer industry, let's not see it fall victim to Microsoft's sword.

- Rev -

Re:easy workaround

[alarosa]

"He said WHAT? That AC will pay for that comment, especially the 'purple monkey dishwasher' remark!"

Geez....

[ZoneGray]

Who do they think they are? Metallica?

This (above) looks like the important point

[alarmo]

And later: Microsoft does not grant you any right to implement this Specification.

sure enough, this seems (IANAL) to directly state that if you use this spec to implement or imitate MS-Kerberus, you've violated the agreement and can probably be sued, etc. The download is just necessary to wrap the license agreement around it.

This is kinda novel - "We'll even tell you what we're doing, but fsck if we'll let you do it too." Documentation doesn't help at all if it comes with a condition like that. What's the next step, patenting the writing of MS-Word format to keep all those pesky filters at bay?

Where's the first mirror?

[LoonXTall]

With the way the open-source community disregards copyright, patents, etc. (see my .sig), who gets to be first to mirror? I defer the honor to the more courageous... after all, MS does hold many of my friends in its claws, unlike the MPAA.

-- LoonXTall

Re:Is "Kerberos" trademarked?

[Gender+!=+Sex]

If they're not conformant with a open and trademarked standard, they should not be allowed to say they are. Actually, even if it's not trademarked, I wonder if you could sue them for fraudulently misleading the customer into believing the OS will work seamlessly in their existing Kerberos network.

No, Kerberos is not "trademarked". Trademark is a noun, not a verb. Therefore, something cannot be trademarked. Kerberos might be a registered trademark; however, I think someone else posted that it is an abandoned trademark.

Freedom to innovate

[DagB]

Microsoft has now for a pretty long time tried to convince the court that they are just practicing their freedom to innovate.
Now, no one but Microsoft can implement an authenfication service for Windows in a legal way. I do not think Microsoft really can stop anyone from implementing an authentification service, but its horrible that one could get sued over this.
They are, with the extension to Kerberos, again showing that they are only talking for themselves.
This just proving that the court clearly has made the right decision.

Re:Ignore Microsoft's release, don't break license

[HGWS]

I agree that I won't ignore this license, too. I think there will be a better solution (i.e. clean-room reverse-engenering) sooner or later.

But:

I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.

IMHO this is completely wrong. I don't have no windows on my machines any more for three years now. When I get such self-extracting stuff, I have to use the command-line unzip or try another decompression tool to extract it. Don't see everything from the windoze view.

If someone were to crack that .EXE file

[bergeron76]

What course of action would microsoft have if a "freely" distributable executable was cracked and the PDF file was extracted. I'm sure they're using one of their typical lame encryption schemes probably on top of a cab file or something. If I were to extract the PDF info from the EXE ++without++ accepting the license agreement I would be able to distribute that info without fear of consequences, no? CB

Re:Get around the license ... ?

[AwesomeCrap]

Actaully, the law is worded such that a minor could agree to the contract, if the company will let them, but the contract is not legally binding for the minor AT ALL, but is legally binding for the other party, Meaning that the minor would not be responsible, and neither would their parents. But I'm not sure, so if you were going to do this, you should check with someone else who would know the law better than me.

Is "kerbspec.exe" booby-trapped?

[sehlat]

I notice some interesting things about the "kerbspec.exe" download. There are specific mentions in the file of "installation" and since I ran the program, my firewall has blocked at least two attempts by my system to contact Microsoft, *NONE* of which I initiated. There's also something funny about my task list, including something called "robot" which I have no knowledge of putting there. Any input on this?

Re:Is "kerbspec.exe" booby-trapped?

[sehlat]

No, I'm *NOT* trying to be funny. I wish I were.

Copy Lefting

[Archangel+Michael]

Why doesn't the open source community "copy left" the specifications. Basically the only way to have authorized usage of the open specification is to agree to the terms of the specification, which specifies that all "propriatary" extensions be freely published. Since it is open, there can be no "reverse engineering" of the specification. Micro$oft problem solved in a whole bunch of arenas.

MS and open standards

[mortenk]

Does anyone know of a standard that MS has not "extended"? I get the impression here that MS change everything they come into contact with...

---
morten

huh???

[Spoporwesh]

PLEASE not one of those bullshit comments about Microsoft.

No need to read the license

[H3llFyre]

Download Microsoft's wonderful little package that unzips the file and also makes you agree to the license agreement. Or you could just do a "right-click drag" (with winzip or winrar installed) and choose to unzip the file. It pulls out that nifty little pdf file. No license agreement. Pretty little package. H3llFyre

Possible to get money?

[Morticah]

Microsoft says: Please review this Specification copy only if you licensed and downloaded it from Microsoft Corporation`s website; if you did not, please destroy this copy ... Hm, if I`d burn the paper and my hand too, do you believe I could get damages for pain and suffering from MS?

Re:Loophole?.....just a question ...

[annoyed162]

what ever happened to freedom of the press?

i thought that freedom of the press meant you could write what you wanted and print it wherever..
as long as it wasnt copywrited or whatever...
so this brings my question .....

what if .. win2000 and all there lil trade secrets were to be disassembled and posted ...

maybe a assembled version is copywrited ... but would that also include a disassembled version?

and another thing! MS and there agreements are crap! just like there waste of space OS's ... i think MS should have stuck with XeniX and left the whole windows based environment (lisences and agreements included) to Apple or whatever ...

another question .... do you have to agree to anything before you d/l whatever the specifications are included with or whatever?
if not .... the file that has the specifications were to stay compressed and like a cgi script or something were to extract just that file .... who's to say who did it ...
nobody to blame ....
anyway!

my sugestion would be to forget the whole thing ... then next week somehow a copy of it got posted on about 200 misc. free websites (geocities,xoom,tripod, etc...) and a link to a cgi for redirection ...
its not on your site ... just a link to an html page ....
who knows whats on it ....

Re:Loophole?

[Danse]

I call your attention to the part you quoted which says "AT LEAST as great as the precautions you take to protect your own confidential information."

What Microsoft's statement says is that the least amount of precautions you must take are those that you take with your own confidential information. You may take more, but it does not seem to require that you do so. Why would they bother including the statement above if they had expressly spelled out the precautions you must take?

How many people have to download the information before it becomes common knowledge in the industry? Is it still a trade secret if everyone knows the secret? Doesn't make a lot of sense. Seems like Microsoft is playing a game and I hope to see them lose.

Re:Loophole?

[Danse]

Why bother even mentioning B at all then? It seems to be completely irrelevant. Why not just say that X must be >= A then? That's why I didn't agree with the interpretation. Did they ever define A?

Re:Trade Secrets only as long as they're secret...

[Fastolfe]

If a copyrighted work is illegally redistributed, perhaps even with a "new" license (one that could make it public domain, for example), that license is null and void since the work was obtained/distributed illegally in the first place. You can't just slap a new license on something unless you *own* that something. Anyone downloading your copy, legally, have zero rights to it. If they honestly didn't know it was ripped off, and thought the "new" license/copyright terms were the real ones, they would be fine (they'd just lose subsequent rights to the work in total).

Of course, I'm just looking at this from a simple copyright perspective. People are using terms like trade secret and patent and trademark, etc., but simple copyright law is all that you need.

They wrote the document; they can determine exactly who is allowed to get it via how it can be redistributed.

Why don't we just borrow some books from the library and transcribe the contents on web pages? People would never have to buy books again! What about movies? CD's? It's the same concept.

Re:Ignore W2K!!

[William+Tanksley]

This may very well be the case. However, you're missing a possibly subtle point.

We're not in a war against them. We don't need to watch W2K die. We just need to continue doing our jobs -- and continue contributing to the community -- just as we've been doing.

I'm not saying that we should ignore this kind of deliberate attack; it's likely that this attack will get in the way of us doing our jobs. My point is simply that we don't have to watch W2K die. The mere fact that its supporter is Microsoft, a company who does this kind of thing, will kill it -- together with the fact that the people (us) supporting the better operating systems don't do that.

We should be known as the people willing to help other people get their jobs done, without stooping to bickering and fighting. Our motto should be something along the lines of: "It's not an operating system. It's people."

-Billy
"IT'S PEOPLE!!! YOU'VE GOT TO TELL THEM IT'S PEOPLE!! IT'S MADE OF PEOPLE!" -- Charlton Heston

Re:Is "Kerberos" trademarked?

[copito]

IIRC, Microsoft has extended Kerberos in a standard way, that is, by using parts of the protocol which are intended to be vendor defined. I'm not sure whether they have maintained interoperability.
--

Re:can this be bypassed?

[copito]

IANAL, but I think that a trade secret can be legally protected if reasonable steps were taken to protect it. So if someone breaks in and steal your trade secret, then publishes it, other parties may be enjoined from using the information.

A court would have to decide if Microsoft took reasonable steps to protect their trade secret in this case, I'd say they didn't, but then again I'm biased.
--

Re:The license is still all over the damn thing

[Tet]

the first paragraph says you have to have licensed it to read further.

Actually, no it doesn't. It asks you to only look at the information if you have a license, it doesn't demand it. The actual wording is:

Please review this specification only if you licensed and downloaded it from Microsoft Corporation's website; if you did not, please destroy this copy

Note the use of the word "please". I'm free to ignore any requests from Microsoft Corporation, and I choose to do so here. BTW, I didn't agree to any licensing terms to get that information.

So what's the catch ?

[Oestergaard]

The Samba team doesn't protect their own confidential trade sectrets very well, and surely they could use this spec if they protected the implementation equally well. Microsoft knows that of course. But hey, they're not just giving away competitive advantages all of the sudden. It's a PR stunt for sure, but it's not good enough to be just that. There _must_ be something important which is not in the spec, or which is different in the spec. What could it be ? I haven't seen the spec myself and I don't know Kerberos stuff, but somehow we're going to find out when Samba implements the spec and some sort of hell breaks lose. My best guess would be that it is related to security - call me detective ;) Could there be some blatant backdoor inherent in an implementation following the spec ? Let's hear what people who know Kerberos and the spec say...

Use M$ Word

[MouseR]

...to create enough documents so that all that extra bits of info M$ is grabbing off your disk in Word files, which would include their kerberos source modifications, ends up being send along the bogus documents via email attachments.

Reassemble everything, and you have sources that were published by MicroSoft's own incompetence in a way they can't blame you.

Re:The license is still all over the damn thing

[cpt+kangarooski]

Clearly you haven't extracted it enough...

Set up a pair of groups to extract it. One agrees to the terms and knows what the license is.

The other does not agree, and never looks at the docs at all. But they keep making filters which they think are likely to strip the license. They make a metric crapload of them, present them to the 1st group and asks "Are any of these licenseless?"

A bit of grepping determines the answer, and voila - a copy of the docs w/o license.

;)
(and if you think I'm a lawyer, I've got this bridge that's very affordable...)

Re:Defeating Trade Secrets 101:

[Ed+Avis]

But my point is that with normal copyright, I can distribute works that rely on someone else's shared library. With GPL you can't legally do this, or at least RMS hopes you can't.

IANAL, but: This issue is muddy because nobody really knows what the legal position is. There are essentially two possible cases:

• Linking with a shared library does not make your program a derived work of that library. In this case, both proprietary software and GPLed software can be dynamically linked to any program you write and distribute. The GPL claims that this is not allowed, but if your program isn't a derived work of the GPLed code, then your program is not bound by the GPL's terms anyway.
• Linking with a shared library does make your program a derived work. In this case, you cannot distribute a program linked with a library without permission from the library's copyright holder. Proprietary software might allow this, depending on the licence terms. Certainly something marketed as a 'library' would allow it under ceratin conditions. However, you could be on shakier ground if you wrote a program depending on 'some other company's shared library' which they hadn't given you permission to use (for example, if you wanted to use MS Word's import filters). The GPL also allows linking, treating it exactly the same as any other derived work - ie if you distribute your program, you must distribute it only under the GPL.

Re:Defeating Trade Secrets 101:

[Ed+Avis]

While the GPL gives you certain priveledges that you wouldn't have with normal copyrighted works, it also takes some normal rights away.

ianal: It's not possible for a licence to take normal rights away (at least not without DMCA, UCITA, etc laws). The whole point of rights like fair use, parody and so on (which vary from country to country) is that they can't be taken away by the copyright holder, no matter how much crap is in the licence 'agreement'.

Now the GPL claims that a program which uses a library is a derived work of that library, but if this turns out not to be true (it's not been tested in court AFAIK) then that section of the GPL doesn't carry any weight.

In particular, it's perfectly legal for me to create a proprietary program that relies on some copyrighted shared library (.dll, .so, whatever-your-OS-uses) made by someone else.

Are you sure? Without the permission of whoever wrote the library? Have a look at the files for Microsoft Office, pick a DLL at random and distribute your own program linking with that DLL. See what happens.

Re:Defeating Trade Secrets 101:

[Ed+Avis]

If failing to read a license causes me not to be bound by it, then maybe I'll just download the Linux kernel code, ignore the license, and call it public domain.

Read what the GPL says:

5. You are not required to accept this License, since you have not signed it.

You don't have to accept the GPL at all. But you will be violating copyright if you distribute Linux under any licence except the GPL.

Re:Defeating Trade Secrets 101:

[Zagadka]

Ah, but the GPL grants you additional rights that you would not normally have under copyright law.

While the GPL gives you certain priveledges that you wouldn't have with normal copyrighted works, it also takes some normal rights away. In particular, it's perfectly legal for me to create a proprietary program that relies on some copyrighted shared library (.dll, .so, whatever-your-OS-uses) made by someone else.

If I tried to make a proprietary program that relied on a dynamically linked "libreadline" for example, I'd be in trouble though. According to RMS, GPL doesn't allow non-GPL programs to link with GPL code in this way, because the code "depends on" the GPL code.

So I can do certain things with normal copyrighted works that I cannot do within the constraints of GPL (or at least the GPL's intent, according to RMS).

Re:Defeating Trade Secrets 101:

[Zagadka]

The GPL lets you make derivative works based on a shared library. It just doesn't let you DISTRIBUTE those derivative works.

Fine. But my point is that with normal copyright, I can distribute works that rely on someone else's shared library. With GPL you can't legally do this, or at least RMS hopes you can't.

Just like I might make a picture and say ``its free for you to use on webpages, but you can't sell t-shirts with it.'', the GPL is the same way.

No, it's more like, "you can link to my web page only if your web page meets certain conditions". I'm talking about dynamic linking here, which is actually quite a bit like linking web pages in a sense.

That's not taking away any rights you otherwise might have had.

I think you completely missed the point. If I wanted to, I could write a program that relied on some other company's shared library, and I could sell tht program (and yes, distribute it). As long as I don't include the copyrighted library itself then copyright won't restrict me from doing that. However, with GPL, RMS's hope is that people are not allowed to create non-GPL programs that "depend upon" GPL code, even through dynamic linking.

To give an example: it would be legal for me to create a non-GPL Macintosh emulator that required you to get your own Mac ROM files. The Mac ROMs are copyrighted, but it's okay (IANAL, but I'm fairly certain this is the case) for me to create software that depends on that copyrighted code, provided I don't go and give people that copyrighted code.

If the Mac ROMs were under GPL though, I wouldn't be allowed to distribute a non-GPL emulator. My emulator would clearly be dependant upon the Mac ROMs, and the GPL states that in such a situation it had better be GPL too if I want to distribute it. Whether that would actually hold up in court, I don't know. But RMS's intent is obvious, and he's stated it publicly many times.

You're just bitching because its not giving you the rights you want.

I think you're confusing independent thought with bitching. I have no problem with the restrictions GPL places. I'm working on some code right now that I plan on releasing under GPL. Does that mean I agree with all of RMS's philosophies? No. I think content creators should get to name their price. If they want to give it away free, fine. If they want to get a million dollars, fine. If they want you to give away your source, fine. You don't like the price? Don't use the code. I write proprietary software too. That's how I pay the rent. I don't get donations like RMS.

That said, I do have serious doubts about the dynamic linking restriction being legally enforceable, but I don't care much either way in this situation. It would set a rather nasty precedent, but as far as GPL goes, I have no intention of writing non GPLed code that dynamically links with GPLed code. That restriction (real, or only intended) is one that normal copyrighted code doesn't have though.

Re:Full text

[KBrown]

Now the FBI is looking for you Anonymous Coward and since you post comments to slashdot too many times a day they probably already know who are you.

Note that that strategy of posting your comments from different IP addresses every time is not helping you any more to remain anonymous.

Re:Why anyone cares

[Jeremy+Allison+-+Sam]

> So why do we need this information? Simple:
> without this information it's impossible to
> modify Samba to allow Kerberos authentication
> (and encryption?) of remote shares.

Actually this is not correct at all. Samba really doesn't need this information to do authentication or encryption from a Win2k client, as the Win2k client is kerb5 standards complient enough to allow this to work perfectly (once the code is added to Samba).

It *would be* needed, however, to create a Win2k client compatible PDC, and it would also help if Samba used the extra SID information to do access control (map these SIDs into UNIX groups and do a setgroups() call from the smbd) if the Samba server were a member of a Win2k domain and was getting the user/group information from the Win2k PDC (either via LDAP or the new winbind daemon code). It's not even completely neccessary for the latter case, as we can get the same information by doing MS-RPC queries to a DC, it's just more efficient to pull the info out of the PAC.

This spec is needed to add the PAC format to MIT kerb5 kdc's and heimdal kdc's, not for Samba.

Hope that clears things up.

Regards,

Jeremy Allison,
Samba Team.

Re:Is "Kerberos" trademarked?

[Jeremy+Allison+-+Sam]

> You may not value intelletual property but MS,
> Xerox, and many other companies do.

This isn't intellectual property, it's a land grab on a previously open spec.

> Don't force your Open Source Religion on
> everybody else

But I don't want your code ! I want *OPEN* specs, implementable by anyone. That's how the internet got built.

> Where's the problem?

The problem is you are using your client desktop monopoly to attempt to gain a server monopoly. This is why you're being broken up. This is why you're being taken to court in the EU, this is *NOT LEGAL*. That's the problem.

Regards,

Jeremy Allison,
Samba Team.

RevEng Proof, reasonability etc.

[korpiq]

1. Record the whole reverse engineering process on video to use as proof of actually rev.eng'ing, not following specs in court.

2. Publishing a "trade secret" obviously isn't "reasonable effort to protect", is it? Even with oxymoronish "by reading this..." comments.

3. Read the spec and explain it in your own words elsewhere. Someone else follows /your/ specs, not M$'s.

4. Do it the Professional way (IBM, #118).

Now if we only had enough interested developers to form four groups to make independent patches/modules for Samba.

Better yet, IMHO IETF really should use the reserved bit differently in a new version, rendering MS "trade secret" inoperable. They just deserve it.

Anything I didn't answer (or copy) yet, eh?

Re:Defeating Trade Secrets 101

[Angst+Badger]

IANAL, but part of the laws regulating trade secrets presumes that you are taking reasonable measures to prevent the public release of the secret. Posting a "trade secret" to a website for the general public to access could very easily invalidate any future claims to trade secret status.

An analogous situation would be if Bill Gates, staggering around drunk in Central Park, walked up to each of several thousand people and offered to tell them Microsoft trade secrets if they "promise not to tell". While there are no doubt judges that would let this crap slip by, I think it is likely that the vast majority of appellate courts would laugh loud and long at this. Secrets are secrets because they are, well, secret. They are not secret because Bill Gates distributes them to a billion-plus people and says "Shhhhhh".

Trade Secrets only as long as they're secret...

[UncleRoger]

So, what if some unknown person, logged on from a public access PC (such as at a library), downloaded this stuff, then posted it, sans license, on a free website, such as geocities? After a bit, it wouldn't really be a secret any more...

On the other hand, what's the big deal? If no one uses Microsoft's extensions, it's a non-issue.

Re:Full text

[orabidoo]

IANAL either, but from what I've heard things aren't so dire as you explain. in particular, no individual or company can place restrictions on your ability to *implement an idea*, otherwise than by patenting it, or having *you* accept these restrictions. if someone else gave the information to you (and there are no patents), you are legally FREE to use it. so the above posts aren't "illegal"; the act of posting them may be (but that's a risk the poster is taking), but the posts themselves are not.

again, IANAL.

Re:Please moderate the previous post down!

[tuffy]

(Score:-1, Illegal) ?

The idea that Microsoft could take the Samba team to court is both plausable yet sickening. Aren't they presumed innocent until proven otherwise? And how would it look for their PR? "Samba team taken to court over implementation of 'open' specification"

The scary part is, it wouldn't surprise me.

Re:Defeating Trade Secrets 101:

[Syberghost]

Not necessary to give it out; just rewrite a description of the protocols in your own words.

That doesn't violate copyright, and since it's a trade secret they can't patent it, so it'd be perfectly legal.

Microsoft screwed up.

--

Jail Gates

[Syberghost]

I think it's clear that Microsoft has been deliberately, willfully engaged in criminal behavior for their entire existence.

Not punishing them because the acts were performed by a corporation instead of a person is rubbish; they were performed by people, just as much as more horrible crimes in the 1930s and 1940 were performed by German soldiers, not by Germany.

To not punish Microsoft for it's crimes, based on the idea that they won't commit them any more, would be like not jailing Ted Kaczynski because he hasn't blown anybody up lately.

The Microsoft executives responsible for this debacle, including Bill Gates and Steve Ballmer, should be jailed for a long time and have all of their personal assets that derive from Microsoft seized and placed up for auction.

Microsoft itself should be dissolved, all assets sold, and the proceeds divided among everyone who has ever bought or sold a copy of a Microsoft software product.

The domain "microsoft.com" should be given to the Electronic Frontier Foundation, with them directed to operate a web server at that address with all the relevant court documents displayed there for all time.

They should be directed to place the source code for all of their products under GPL immediately, and reassign the copyrights to Richard Stallman.

Oh; and Gates should be delivered to the jail wearing lipstick and a miniskirt.

--

Doesn't matter.

[Samrobb]

It's bypassing the click-thru that's important. Having the license printed on every page may seem intimidating, but consider what would happen if you were to print it out and "loose" the printout. Whoever found it would most certainly not be bound by the license - hell, maybe they don't read English, or maybe they're a minor and legally unable to enter into this kind of agreement.

In short, MS doesn't really have a legal leg to stand on. What they do have, however, is an excuse to drag whoever they want (Samba team, anyone?) into court and sue them into bankruptcy. They don't even have to win, just have enough cash - which they do - to be able to pay their lawyers longer than you can pay yours.

SAMBA in binary.

[kevlar]

Why don't they just read the stuff and write a SAMBA client thats "closed" source, and release it with no restrictions. That way the only way MS could know if they were violating the copyright would be if they themselves hacked the program to see what it does.

... but remember, I'm no lawyer.

Re:Defeating Trade Secrets 101:

[NMerriam]

Isn't it? What is the difference between a PDF files -- a stream of 1s and 0s which, when interpreted by a certain computer program, causes a particular action (i.e., a display of text) -- and a source code file

Well, the manifestation of the bits isn't what we're talking about, but rather the words, the arrangements of letters and idea that the PDF contains, is what is protected without question, because those words (whether represented as bits, as ink, or as stone carvings) are a "creative expression".

So to answer your question, the copyright status of the content wouldn't be affected by how it is stored (whether it's a PDF or a batch file that prints it to the screen). The words that are represented are protected. Whether or not the program that generates those words has a separate protection under [copyright|patent] is where the gray area and debate is.

Please moderate the previous post down!

[The+Vorlon]

I'm sure the anonymous coward who posted the contents of the contents of Microsoft's PAC specification here thought he was doing the world a favor and sticking it to the Evil Empire in the process. But the truth is that what the poster has done is illegal in the US thanks to the DMCA, whether we like it or not. Moreover, making the contents of the file widely available in this manner threatens to taint the efforts of those who need to get this information legally!

The Samba team, and others who want Kerberos compatibility with Microsoft's PAC bastardization, need to come by this information legitimately -- either by reverse-engineering it, or by twisting MS's arm until they start behaving themselves and release the information openly. If anyone uses the above code to implement Win2k compatibility, Microsoft can take them to court for using stolen trade secrets.

Even if the Samba team *doesn't* use this information, if it becomes widely available then it becomes very difficult to prove that those who did the reverse-engineering didn't read Microsoft's document... in which case Microsoft can still take people to court for it and keep them there for a very long time because of the difficulty of proving guilt or innocence. The last thing we want is for future Samba development to be caught up in a legal gray area for years on
end.

And don't be too sure that Microsoft wouldn't take the Samba team to court for something like that, even if they knew the Samba team was innocent. They're playing dirty here, milking the gullibility of the US legislature for all it's worth. Microsoft promised open documentation, and instead they've given us a legal boobytrap. Please, let's not play into their hands.

Re:Loophole?

[The+Vorlon]

Glad that they did this? Not really. It's a strategic move on their part designed to make them look like good guys (look, we're publishing a spec! We're open!), when in fact what they've given us is completely useless to the Community (unless you really /prefer/ to use Microsoft's server products and are only interested in making them more secure). It's worse that useless, really: anyone who touches the documentation MS has put out can wind up in legal trouble with Microsoft if they later work on any project involving the reverse-engineering and reimplementation of the PAC.

So thanks, Microsoft, but no thanks.

Re:How to bypass the pop-up

[Mindwarp]

What? You mean you used that nefarious program WinZip to circumvent a content encryption scheme put in place to both protect copyright AND trade secrets? That's it! Under the DMCA all traces of WinZip must now be removed from the Internet! Anyone caught using WinZip from now on will have seven grades of shite kicked out of him/her by large men wearing big boots, sent round to your house by the MPAA.

;-)

--

Question for the Lawyers...

[sterno]

Here's a good question (IMHO). Part of making something a trade secret requires that you make a reasonable effort to protect the information. Microsoft's answer to this is making you click a license agreement before seeing the information. But, is that really a protection. If every single person on the Internet can access that information (even if they have to click on a license), can that really still be considered secret???

---

Re:Question for the Lawyers...

[IO+ERROR]

If every single person on the Internet can access that information (even if they have to click on a license), can that really still be considered secret?

I am NOT a lawyer. However, I don't understand how Microsoft can claim they took reasonable steps to keep this information confidential when they have NO IDEA WHO downloaded, or possesses, the information.

It seems to me that Microsoft did not take reasonable steps to protect the confidentiality of its "trade secret," by not requiring user registration to access the file. Unfortunately for them, it's too late now.

This is M$. I seem to recall that they make people SIGN PHYSICAL PIECES OF PAPER called non-disclosure agreements before giving them access to confidential information. So what the hell is this? Looks to me like M$'s legal department royally fucked up.

Of course, you should consult your own lawyer before you go reading the PDF file...
---

And they can probably prove it if you do...

[DiningPhilosopher]

Given this fact, I wouldn't be surprised if this spec describes some small detail which is NOT present in the behavior of Win2K.

If your implementation exhibits this behavior it'll be fairly obvious that you used the spec rather than properly reverse engineering the protocol. This should be enough to destroy you in court.

Re:Defeating Trade Secrets 101:

[magic]

In the United States, any artistic expression is automatically copyrighted to the author on creation, regardless of copyright or other protections sought.

It is a violation of the author's copyright to electronically distribute the Microsoft document without permission (even though they posted it on the web), or to make physical copies without permission. I personally find it silly to post technical specifications without granting the reader the right to make copies (i.e. print it out and make copies of that printout), but the decision as to making copies is up to the author.

It is legal to distribute the "concept" (i.e. information content) contained in an artistic expression as long as it is rephrased (i.e. not an exact copy or derivative work). There are three exceptions to this:

• Source code is a gray area currently being debated. Some people believe it is an artistic expression and is text, others believe it is something else altogether and not protected by copyright.
• You can be held liable in certain circumstances if you illegally obtained information then redistributed it. The term trade secret refers to such information, and is part of the debate. National secrets come under this category as well (I think that term is something of an oxymoron if taken literally)
• It is always legal to reproduce small portions of a work for review or commentary purposes provided a citation is given.

So, like Metallica's songs, your post on /., and the book War of the Worlds, that PDF document is copyrighted. It is illegal to distribute it against the copyright holder's (MS) wishes. Whether it is legal to redistribute the information content (the spec.) without using the verbatim text is a separate question over which copyright law does not preside.

magic

Re:Full text

[Sonic-B-PHuCT]

Here's another one to Ponder: As I write this, does /. have editorial control over what I write? Or are they just a distribution channel for my comments published by me (by the very act of typing this in and pressing the submit button). I would venture that /. is a distributor and therefore not subject to responsibility for content in the same way Amazon.com is not responsible for the content of the material contained w/in the text of their product.

Re:Workaround not requiring copyright violations

[mindstrm]

Fair use applies to straight copyright law. Contracts and EULAs can add additional rights. Remember, 'fair use' doesn't equate to 'you think it's fair'.

Also, copyright law does not 'grant' you rights, it grants rights TO THE COPYRIGHT HOLDER. It gives them the power to license it to you under their own terms and conditions.

Re:Bill

[mindstrm]

Uhh..
how is that news?
They are the 'first' to offer kerberos v5 native in windows 2000? Who ELSE would be offering it as native in windows 2000?

I have to wonder..

[mindstrm]

Even if this is the case.. if someone can show that anyone can just go fill out the form and get it.. can they still claim it to be trade secret?
Or is this their way of saying 'see.. we're open about everything! we're not trying to hijack the protocol! OH! but if you try to build something using our proprietary extensions, we'll fuck you over'

Re:Defeating Trade Secrets 101:

[powerlord]

IANAL... but...
I've had to deal with Trade Secerets a fair amount of time.

My understanding is that in order for a piece of information to maintain the classification then:
1) I need to agree to keep the secret
2) The information needs to be transmitted in writing (I'm assuming electronic form is considered writing) and
3) At the bottom of each page should be a notice that this information is a Trade Secret.

I believe (perhaps an IP Lawyer out there can verify) that unless those conditions are met, the information is not considered a Trade Secret.
(ie. if someone gives you some documents and then later comes along and tells you, 'oh, and this is a trade secret' you don't have to follow their wishes)
If this weren't the case then you wouldn't have to sign an NDA, they could just give you the document with the license 'printed on page 10 and 11'.

Re:hello

[Nebulo]

"...equal to asking you to sign..."

Ah, but they're only asking. You don't have to sign anything you don't want to, being of sound mind and free will. I make it a practice to read everything I put my name and/or signature to. If I don't like or don't understand it, I don't sign it. Simple as that.

Bothersome - people here imply that Microsoft is "tricking" people, that Microsoft is "forcing" them into an unagreeable license. But they're the ones who downloaded Microsoft's intellectual property and begat themselves of its wonders, and 9/10 of them knew there was a license attached to what they were reading.

Seems to me the fools here are the ones who read the license, understood what it meant, didn't like it, and went ahead and clicked OK anyways. Stop all this talk of being forced to do things - you're not all helpless sheep victim to any passing breeze. You're human beings with rational minds and the ability to make decisions based on your judgement.

And if you are a sheep, well, that's just the way you are, but if you *know* you're a sheep you shouldn't be going around clicking OK to things you don't understand.

OK! I know flamebait when I see it. It's late.

Nebulo

Re:can this be bypassed?

[Wah]

IANAL, but I think that a trade secret can be legally protected if reasonable steps were taken to protect it.

I seriously doubt that posting it to the Net would count as a reasonable step to protect the secret. Either way I'm not touching W2K (and it's not touching any of my company's computers) until it can play nice.

--

Re:hello

[remande]

You're right; it isn't legal. But people think it's legal. And the relevant laws can be made to sound mumble-jumble enough that it only takes several million dollars worth of legal talent to convince a dozen of our peers that it is legal.

Re:can this be bypassed?

[Vlad_the_Inhaler]

I am not 'the Slashdot crowd', I am me and speak only for myself. Sometimes not even that.

Actually, the GPL violations in China do not interest me much either - anyone there who really wants the sources could probable get them anyway.

Re: Always use WinZip to uncompress .exe's

[|DaBuzz|]

I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.

Actually it can be argued that any security conscious user would NEVER double click on an .exe file if another alternative existed, in this case WinZip is that alternative.

I know that personally, when I get a self extracting .exe, I ALWAYS try to open it with WinZip first, it just makes good security sense don't ya think? Why run an .exe when you can use WinZip to do the same thing without putting your system at risk?

All it would take to convince a judge of this would be to infect the same .exe with BO2K and show WHY using WinZip is the best option to start with.

Re:Defeating Trade Secrets 101:

[iCEBaLM]

However, just because there was no license agreement doesn't mean the document is in the public domain. There's a difference between software licensing (which is contract law) and public domain (which is copyright law). Microsoft is effectively acting like a newspaper or a radio station here - they are publishing something to a lot of people, but that doesn't give their audience distribution rights as well. Try making photocopies of the New York Times and selling them for half price, and see how far you get. Or better yet, try rebroadcasting a major sporting event in your bar :)

Difference: NYT and TV broadcasts are copyrighted, this MS document, I've been told, is supposed to be a trade secret. If they claim its a trade secret they cannot copyright it. Since I am not under any license (as I did not see one, or agreed to one) about it being a trade secret, then I am an "innocent", and it is now public domain.

-- iCEBaLM

Re:Defeating Trade Secrets 101:

[iCEBaLM]

I wouldn't do that. It's still copyrighted, and if you are associated with any group that "reverse engineers" the specs, whatever prodcut you create could get tied up in court for a long time. Distributing MS's copyrighted info could also get you into legal hot water.

MS puts it on their page for everyone to DL, there was no agreement that I saw that said I couldn't give it out to anyone else, it's public domain.

I'm not associated with any such group, I'm just your average joe schmo who uses winzip instead of running self extracting archives for fear of viruses. :)

-- iCEBaLM

Re:Microsofts intention

[Tower]

>This is Microsoft's new OS.

Didn't see that in the download - just a variant on a network auth protocol... which you 'are not allowed to implement', so they certainly don't want anybody else playing in their sandbox...

Re:Trade secret == open season

[The_H0und]

However, there is a short license agreement at the bottom of every page and the full agreement on pages 11 and 12.

So, I guess that my winzip idea is worthless...

Re:Defeating Trade Secrets 101:

[Greg+Lindahl]

I wouldn't do that. It's still copyrighted,

Trade secrets can't be copyrighted. Consult a lawyer instead of playing one on /.

Why anyone cares

[coyote-san]

A couple posts have suggested that the only reason anyone would care about the contents of the document is so they can create their own competing implementation.

That's *not* the case - the MIT and Heimdal Kerberos implementations work quite nicely under Linux, come bundled with RH 6.2 (and my unofficial Debian packages) and Debian 2.2/non-US, respectively, and include all you need for a fully-functional Kerberos network. I know; my BAN uses MIT Kerberos for most of the network services.

MIT Kerberos (at least) even compiles under Windows platforms. This allows you to use Kerberos with W9x boxes.

So why do we need this information? Simple: without this information it's impossible to modify Samba to allow Kerberos authentication (and encryption?) of remote shares. I'm sure I'm not the only person who is breathlessly awaiting the MS spin that "Samba may be faster, but it's not as secure as 'real' W2K servers!".

Meanwhile, I'm breathlessly awaiting Kerberos-enhanced NFS. (slobber). It would eliminate a *lot* of problems (while introducing a slew of new ones). In the meanwhile we still have AFS and CODA (which solves a different problem).

Re:I smell a boobytrap.

[Simon+Brooke]

Microsoft sues the Samba developers, alleging both trade secret violations and violation of the DCMA. (This would make them felons...)

Remember that the Digital Millenium Copyright Act has force of law in only one of the over two hundred countries in the world, and, as it happens, not all the Samba developers live there.

And we're the press now, too.

[devphil]

Yeah, MS's dedication to certain standards is pretty impressive...

When I read the /. article and came to the link "beat up in the press," I was amused to see that the press doing the beating was LinuxWorld. That's one step away from saying "after MS was beat up in /. discussion boards."

You'd think that with a statement like that, "the press" would have referred to something a little more... mainstream. Of COURSE a Linux mag is going to beat up on Microsoft.

Re:Trade secret == open season

[Chalst]

On the other hand, they have asserted copyright on the contents of the
document, and have taken `effective measures' (in the language of the
DMCA) to restrict access to it. So isn't the kind of measure you
propose infringement of the DMCA?

Charles

Are there legal tricks to get around this?

[gotan]

I wonder if it isn't possible to release an extension to the Kerberos Standard that 'accidentally' works with windows servers/clients.

There is another thing that bothers me here: MS has put his trade secret in the open, so if they want to take someone publicizing part of it to court couldn't it be argued, that since they didn't take any means to protect their 'trade secret' the legalese obviously weren't worth the bits they were encoded with. And since MS is encouraging criminal acts here, can't they be sued for that?

At least the information where to find the MS extended Protocol (i.e. the link) and maybe even the file 'kerbspec.exe' can be distributed freely (hey i just downloaded it, i didn't even execute it so i didn't agree to anything)

And since it's impractical for unix users to extract the file on a dos box maybe someone could come up with an extractor.

I smell a boobytrap.

[Ungrounded+Lightning]

Scenario:

* Microsoft releases this document, with these trade secret and copyright claims and "technical means" to enforce them.

* Somebody posts the text. (Already done.)

* The Samba developers implement a compatable upgrade.

* Microsoft sues the Samba developers, alleging both trade secret violations and violation of the DCMA. (This would make them felons...)

* The court case is the Samba developers aided by the volunteers of the Free Software Movement versus the lawyers of the Richest Man in the World and the Big Company that made him all that money (and has even more).

Regardless of the outcome it's a BIG load on the Samba developers, and probably takes them down as far as spending time competing with Microsoft is concerned.

Note that this works for Microsoft even if the Samba developers stay strictly clear of the leaked "trade secret", working strictly by reverse engineering!

So Microsoft has put a spike in Samba's wheels. Kiss any future upgrades goodbye.

How to bypass the pop-up

[Jonny+Royale]

Open the .exe you downloaded onto a Windoze machine with Winzip...extracts the file automatically. No pop-up, no muss no fuss.

Re:Not a trade secret

[tytso]

I am a law student and do not pretend to be qualified to give legal advice, but I think that the above posts which reveal the "secret" eliminate any basis for Microsoft to call this a trade secret. Once it is in the public, it is not a trade secret.

It's not that simple. If the trade secret is publicized via an "improper" means, then it's still protected under trade secret laws. So not only is the poster liable for breaching the contract, but all copies that came from that tainted source are still considered under trade secret protection.

It's on that basis that the MPAA is claiming trade secret protections for the CSS code (at least for one of their lawsuits). Their claim is that the disassembly took place in a country that doesn't have an explicit allowance for reverse engineering for interoperability purposes, and that the person couldn't have obtained a copy of the DLL without agreeing to a clickthrough license which prohibited reverse engineering. Ergo, the source of the CSS code was tainted, and therefore CSS is still a trade secret, even though it's been posted on thousands and thousands of sites.

This may sound strange, but it's how the law works. Now, if someone could prove that they came by the information via a legitimate means that didn't involve the potentially tainted CSS source, then that would be an absolute defense. But given that the CSS code has been spread far and wide, it actually makes it harder for someone to prove that their reverse engineering was actually done "cleanly".

Re:Defeating Trade Secrets 101:

[Convergence]

The GPL lets you make derivative works based on a shared library. It just doesn't let you DISTRIBUTE those derivative works.

Just like I might make a picture and say ``its free for you to use on webpages, but you can't sell t-shirts with it.'', the GPL is the same way.

That's not taking away any rights you otherwise might have had. You're just bitching because its not giving you the rights you want.

Scott

Two parts to this:

[Convergence]

There's two parts to this:

First, the information in their file is a trade secret. If they give it to you in a fashion whereby you can distribut it, the information is no longer trade secret. (Much like if Microsoft accidently some internal API docs, they can't claim trade secret protections.)

Since that keeps us from being under contract, we aren't obliged to keep the material confidential.

But!! There's a second part to this. While the information on it may no longer be confidential, the document itself is copyrighted. So while you do have the right to start sending the information within the document out to the world, I don't see where you have a right to send the document itself out into the world.

Rewrite the document into your own words, then you can make your version public domain. You cannot make Microsoft's version public domain as they have not assigned you the copyright.

IANAL (of course)

Re:OUCH! Check this out...

[BlueUnderwear]

> in the PDF, it says that viewing it means you agreed to the license... reproduced at the end.

If that silly text bothers you, check out this copy. It doesn't have the license...

CourTV reports.

[anatoli]

Judje: The normal procedure for viewing this document is running the executable and clicking the "Ok" button on the click-through agreement. So why didn't you do just that?
Defendant: Your honor, I was advised to never, ever run a program downloaded from an untrusted source.
--

Licenses.

[scumdamn]

I guess it's time to find my 11 year old cousin in China and have him download the file, copy the spec, and email it back to me.
Seriously, when a number of people have taken the spec, posted it everywhere on the internet, and the secret is out, what's going to stop the spec from being included in Samba?

Bound by what restrictions?

[Stonehead]

There was a very interesting article (it isn't published online yet, but was linked to this coverstory) in the German computer magazine C'T a few weeks ago, about the legal implications of pressing a "I agree" button etc. The conclusion was, roughly, that there aren't any! I'd find this interesting. In the same article, btw, it is suggested that written disclaimers don't matter either, since a customer isn't required to sign them..
Anyway, this too is the freedom of Open Source - anyone could start an (illegal) fork of Samba which makes use of these "trade secrets"..

Chinese team could implement it...

[Greyfox]

You coudl get a chinese team to implement it. The implementation would no doubt be illegal in the US. Much like just about every popular MP3 encoder out there. RedHat and other dists would not be able to include the implementation and it would probably never be hosted on US servers. Much like every popular MP3 encoder out there. Would that stop anyone from using it? No doubt no more than every popular MP3 encoder out there.

Consult with your lawyer

[gargle]

I advise you to consult with your lawyer first before pursuing the above course of action.

Re:The license is still all over the damn thing

[gargle]

You may not read this post unless you agree to pay me 1 billion dollars and give me your first born son's left nut.

Is this valid? No? Then neither is MS's "you must agree before you read" clause.

ERA*

[Steeltoe]

--------------------------
If you read any of the text below following this Sentence you are agreeing to its Contents and will comply promptly, failing to do so is a Federal Offence and will be procecuted to the Maximum Extent of the Laws, including UCITA and DMCA, so DO NOT read the rest of this document if you disagree or are unsure of its contents:

You (The Reader) hereby agree to read the rest of this Document, comprehend it and comply with it fully and promptly.

--------------------------
YOU HAVE AGREED TO THE TERMS OF THIS DOCUMENT.

This Document is copyright and a trade secret of Evil Corp (The Company). By reading this you have willingly purchased to view the full text of this Document for $5.000, and must send an equal amount of money to the following billing address, in a secure way:

Evil Corp Inc
Elmstreet 666
US

You may NOT reverse-engineer or disclose any parts of this Document including the first Sentence, to anyone, since the full Document is a copyrighted trade secret of Evil Corp. Evil Corp reserves ALL rights of use and distribution of this document. In addition you must refrain from discussing this Document and its implications openly to ANYONE or ANYTHING. You have also agreed to not sue or press legal charges against Evil Corp for anything EVER. Evil Corp does not claim any usability of this Document and is therefore not responsible for any misuse or anything. Evil Corp is a legal entity, protecting its employees and owners.

YOU HAVE AGREED TO THE TERMS OF THIS DOCUMENT.
--------------------------

Send some money folks!

- Steeltoe

* ERA = End-Reader-Agreement

Seriously...

[zaphod.nu]

Isn't there some kind of law against this?

We're getting whacked by big companies that uses their large legal departements to FUD the users of alternate products.

There should be something to protect us from these kind of things. Are you really allowed to make changes to a open standard and refuse to disclose it?

Maybe we should start slapping a GPL like license to standards? Something that goes like this: "Any standard that is a derivative of this standard MUST use the foo license". That would keep the nice and open standards open forever.

Note that these are my personal opinions, they are just as faulty as anyone elses.

.sig

Re:Seriously...

[alkali]

There should be something to protect us from these kind of things. Are you really allowed to make changes to a open standard and refuse to disclose it?

Trivially, yes. Suppose I write a browser that I distribute in binary form that renders standard HTML except adds the element "". No law obliges me to disclose I've made this change to the standard.

Qualification: It could be contended that the antitrust laws may prohibit a monopolist from doing this. Here is Robert Bork's argument to that effect in his white paper in the DOJ v. MS case:

That a monopolist or virtual monopolist is not free to define its product in ways that stifle competition is clear from Aspen Skiing Co. v. Aspen Highlands Skiing Corp., 472 U.S. 585 (1985). The defendant Skiing Co. owned and operated downhill skiing facilities on three mountains in Aspen; plaintiff Highlands operated on a fourth mountain. For years, the two companies offered a week-long pass, the "all-Aspen ticket," usable at any of the four mountains. The price was usually discounted from the price of daily tickets.

Skiing Co. then initiated various changes that ended its cooperative marketing with Highlands, effectively denying skiers the benefits of the four-mountain pass and diminishing substantially skiers' use of Highland's mountain. In successive ski seasons, from 1976 to 1981, Highlands' share of downhill skiing services in Aspen declined steadily: from 20.5% to 15.7% to 13.1% to 12.5% to 11%. Though it agreed that "even a firm with monopoly power has no general duty to engage in a joint marketing program with a competitor," the Supreme Court said that if the firm attempts to exclude rivals on some basis other than efficiency, its behavior is predatory. The record supported the jury's finding that Skiing Co.'s conduct lacked an efficiency justification. The Court therefore upheld the conclusion that Skiing Co. had monopolized the market for downhill skiing services in Aspen. Aspen Skiing is a direct holding that a monopolist is not free to define its product for the purpose and with the effect of excluding a competitor.

(Emphasis added. Incidentally, whatever you think of Bork as a constitutional theorist, he is recognized as standing among the very top rank of scholars of antitrust law, living or dead.)

?

[nels_tomlinson]

Are you sure about this? Microsoft was using a click-through non-disclosure. GPL does NOT use click-through, and the GPL is NOT a non-disclosure agreement. Code released under GPL is copyrighted, and you are granted a license to use it only under the terms of the GPL. This is a slightly different matter: without regard to copyright, Microsoft sleazily released this with a click-through non-disclosure. If you never get a chance to click through, you haven't agreed to the non-disclosure. There is still the issue of copyright. "Not covered by non-disclosure" is not the same as "public domain", as another poster mentioned. It seems that, having avoided the non-disclosure agreement, it would be acceptable to summarize/implement/report/etc the contents, but not acceptable to publish them verbatim in any country with copyright laws. Get busy, overseas!

I took a look at the .exe

[nels_tomlinson]

, by opening it under emacs. There is some boilerplate by Verisign, and not much else that's easily readable. I expect that there'll be a mirror for the plaintext somewhere in a few days (hint, hint... get busy, overseas!). I can't do much with it easily, I'm on AIX.

I agree, there isn't any charitable explaination for this, but it's hard to explain any other way, either. Are they doing this so that when it is spread around they can say "look what happens when we try to be open... we'll never do that again!"?

Perhaps the best reply to this is to declare that any program which will interact with microsoft is broken... don't let them on your system.

Microsoft's deCSS!

[NightHwk]

If it is that easy to obtain the 'trade secret' without making any agreements, then I hardly consider it much of a secret.

How many people have mirrored this file so far?

Can I get it on a T-Shirt yet?

Don't forget how much more evil Micros~1 is compared to the DVD industry, lets see some action taken!
Tyranny = Government choosing how much power to give the people.

Ignore W2K!!

[(void*)]

I think I am paranoid enough to believe that this is a way for MS to try to make W2K popular, by "publishing" a standard, encouraging the Samba team to make a compatible product, without appearing to support it. As you know, W2K sales suck, and they must be getting desperate ...

IMHO, they should just ignore W2K. If people ask why, point to the incompatible license, this stupid "trade-secret" and blame MS. Make MS look bad, just like how winmodems were made to look lame. Watch W2K die.

But then I could just be dreaming.

Re:Loophole?

[fsck]

What use is all this if you can't use it or implement it? Why did they bother printing this out?

What they document in this pdf is false! When the Samba team "reverse engineers" this into Samba 2.0.9 or whatever, Microsoft will sue their ass off, pointing out the poison code, and here's the kicker - its all bullshit. So now you have a Samba team in jail, and a version of Samba that still doesn't work with MS-CIFS !

Read the halloween documents again, and tell me I'm wrong.

Antitrust remedies will remove these restrictions

[Animats]

Once the interim antitrust remedies kick in, this stuff will have to be public. And that's only a few months away; those will take effect while appeals are underway, assuming the judge goes with the DOJ position, as seems likely. Here's the key part of what DOJ is asking Judge Jackson to rule:

Disclosure of APIs, Interfaces and Technical Information.
Microsoft shall disclose to ISVs, IHVs, and OEMs in a Timely Manner, in whatever media Microsoft disseminates such information to its own personnel, all APIs, Technical Information and Communications Interfaces that Microsoft employs to enable--

• i. Microsoft applications to interoperate with Microsoft Platform Software installed on the same Personal Computer, or
• ii. a Microsoft Middleware Product to interoperate with Windows Operating System software (or Middleware distributed with such Operating System) installed on the same Personal Computer, or
• iii. any Microsoft software installed on one computer (including but not limited to server Operating Systems and operating systems for handheld devices) to interoperate with a Windows Operating System (or Middleware distributed with such Operating System) installed on a Personal Computer.

To facilitate compliance, and monitoring of compliance, with the foregoing, Microsoft shall create a secure facility where qualified representatives of OEMs, ISVs, and IHVs shall be permitted to study, interrogate and interact with relevant and necessary portions of the source code and any related documentation of Microsoft Platform Software for the sole purpose of enabling their products to interoperate effectively with Microsoft Platform Software (including exercising any of the options in section 3.a.iii).

Note that this doesn't specifically require Microsoft to put all those documents on the Web. If you agree that Microsoft should be required to do so, write to the Justice Department at Microsoft.atr@usdoj.gov and ask that they require that in the final remedy.

Re:Defeating Trade Secrets 101:

[TheLaser]

Surely you jest. If failing to read a license causes me not to be bound by it, then maybe I'll just download the Linux kernel code, ignore the license, and call it public domain. Then, if it's public domain (and no longer GPLed), I can compile it and distribute binaries without source.

The license exists, and not reading it has no effect on whether you are licensed or not.

But the difference is that in either case, you would not be able to re-distribute the document. Copyright law still applies, even though the license does not. In the case of GPL'd software, you can still read the source code and write an entirely new implementation of it, or compile and use the software without agreeing to the license. You would not be able to redistributed it however. The same would be true for the specification, you can not make a copy of it, but you certainly can read it, at least until UCTIA becomes law and says otherwise.

On the other hand, might the extraction of the .pdf from the .exe be considered "copying" it?

And another thing, wouldn't that make WinZip an illegal encryption bypassing device under DMCA?

IANAL, NDIPOOTV

Re:Is "Kerberos" trademarked?

[xee]

This all depends...

If Microsoft used Kerberos code from MIT (which is distributed under a BSD-style license) then they must say that it is based on Kerberos. To not do so, would be in violation of the license.

However,

This is not necessarily the case for original code written to comply with an IETF standard (look at IIS, based on several RFCs, but not a derivitive work). If Microsoft wrote their own Kerberos code from scratch, but claims that it is compatible with the IETF Specification, that may be breaking some rules.

By the way, IANAL. If there are any lawyers reading this, please correct any errors I have made.


-------

Microsofts intention

[Kailden]

It seems to me that the point of Microsoft releasing this spec is not so others can implement thier own versions. They are releasing the spec in order that security experts can review it as well as third-parties can take advantage of interacting with it in Win2000.

This is in no way a step towards opening it up for open-source contribution.

Think about it...even if M$ is broken up, one of those companies will be ther operating system group, and that group will be interested in getting good reviews from security experts and third party integration. It's pretty much the way Microsoft has built its empire from the beginning: giving and collabarating with a heavy advantage.

What do you expect? This is big business. This is Microsoft's new OS. Do you really think they would open it up?

Microsoft is not built on the foundation of open-source, and like any pure software company, will not lose money to increase collabaration unless the customers demanded it in such a way that Microsoft gains revenue.

PDF available here...

[br4dh4x0r]

Just in case anyone who doesn't have Windows wants this...

http://www.angelfire.com/boybands/billgates/kerbsp ec.pdf

love,
br4dh4x0r

Re:Loophole? Loophole2.

[Tarront]

IIRC there is another part about trade secrets which in essence I take to mean that you do not have to use any more measures than the original company took. In this instance since they are not using a secure server, it is about the same as taking a hardcopy of it and leaving it on a park bench somewhere.

Re:Defeating Trade Secrets 101:

[gilroy]

Quoth the poster:

A PDF document written about a technical issue is not computer code

Isn't it? What is the difference between a PDF files -- a stream of 1s and 0s which, when interpreted by a certain computer program, causes a particular action (i.e., a display of text) -- and a source code file -- a stream of 1s and 0s which, when interpreted by a certain computer program, causes a particular action (i.e., a display of text)? Is it really true that a PDF file is a sancrosanct copyrighted document but a batch file consisting only of "echo" commands would not be? Even though the batch file transmits the same information to the screen?

Also quoth the poster:

and its protection under copyright law would be unquestioned by any court in the US.

Agreed. Of course, that doesn't prove that the courts aren't laboring under a misconception. Digital data changes everything -- all creative works expressed as digital data are essentially simply numbers and numbers, being concepts, cannot be copyrighted.

But I'm just philosophizing. Like everyone else on slashdot, IANAL.

wow

[john_many_jars]

I am willing to give MS the benefit of the doubt on a lot of issues. I have just recemtly started devloping in the MS SDK--coming from a POSIX-ish background of Sun. I have a theory about why their business practices are the way they are. Microsoft has never had a good, original idea, principle, or product (except, maybe Excel). So, Microsoft must adapt other ideas to fit their operating system. Since there are still DOS v1 and v2 commands still floating around in the SDK, it appears that this has been happening for a long time. Because of all the horrendous assumptions they made years ago (ie, Who will ever need more RAM than 640k), they have poorly fit standard and necessary operating system functions into their SDK (for a good example of this, look at hooks). And since their assumptions in the beginning were never fixed, just poorly patched and modifications were made to work around them, certain things that should be taken for granted in a real operating system cannot be. (Look at file locking and you'll see what I mean) So, rather than fix the os, they have to mangle existing standards so that they will fit with the 2-bit SDK MS has. Therefore, it isn't the business end of MS driving the idiocy, but the idiocy of the "imagineers" at MS driving the business principles. So the blame shouldn't be on the business dealings of MS for they have done an amazing job of hyping a flawed product. Rather, it should be that the managers and other "imagineers" at MS who make decisions about os implementation take the blame for the corruption of standards. QED: Bill Gates built his empire on faulty assumptions.

Re:Full text - Now I _have_ to destroy it

[pacc]

How do I remove a slashdot article which I have to destroy since I cannot read it - damn those disclaimers.

OUCH! Check this out...

[LoonXTall]

In the PDF, it says that viewing it means you agreed to the license... reproduced at the end.

-- LoonXTall

WOW...

[Meshpatra]

If M$ has such brilliant lawyers who draw up such amazing licensing documents, then i wonder how M$ could lose the court room battles.... :-)

What happens to my conf. dealings with M$

[turtleshadow]

If I say -- had confidential dealings with M$ and wanted to say sue them for possible breach of similiar language. Can their precident be leveraged for their obvious apparent lack of security (less then even a simple ID password registration script required for their support pages) in favor of us little guys? If they treat their confidential stuff in a shoddy way there is no guarentee they have treated mine better -- If anything any one want to see if it can leverage their contract's enforcement clauses? Regards,

Re:Is "Kerberos" trademarked?

Indeed MS has maintained interoperatbility. There were vendor defined fields where MS added extra information to make the delegation work between multiple W2K domains. Kerberos hasn't been tarnished by this and MS extended an olive branch by showing what they stuffed in the vendor-defined fields. Of course the /. folks go silly over a boilerplate licensing agreement rather than looking at the issue itself. Vendor defined fields can be a good thing if a standard does not have to be too tightly defined. Don't get upset folks. Your Kerberos network still works. I don't want to say who I am but I'm "in the know"

hello

Microsoft Authorization Data Specification v. 1.0
for Microsoft Windows 2000 Operating Systems
April, 2000
) 2000 Microsoft Corporation.
All rights reserved.
Microsoft Confidential
Please review this Specification copy only if you licensed and downloaded it from Microsoft
Corporations website; if you did not, please destroy this copy, but you are welcome to license the
Specification at http://www.microsoft.com/technet/security/kerberos .
If you are an authorized licensee, when you downloaded the following Specification, you agreed
to the Agreement for Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000
Operating Systems (the "Agreement"). For your future reference, that Agreement is reproduced at
the end of this document.
Abstract
Microsoft Windows 2000 includes OS specific data in the Kerberos V5 authorization data field that is
used for authorization as described in the Kerberos revisions Internet Draft [1]. This data is used for
user logon and to create an access token. The access token is used by the system to enforce
access checking when attempting to reference objects. This document describes the structure of
the Windows 2000 specific authorization data that is carried in that field.
Top-Level PAC Structure
The PAC is generated by the KDC under the following conditions:
during an AS request that has been validated with pre-authentication
during a TGS request when the client has no PAC and the target is a service in the domain or a
ticket granting service (referral ticket).
The PAC itself is included in the IF-RELEVANT (ID 1) portion of the authorization data in a ticket.
Within the IF-RELEVANT portion, it is encoded as a KERB_AUTH_DATA_PAC with ID 128.
The PAC is defined as a C data type, with integers encoded in little-endian order. The PAC itself is
made up of several layers. The outer structure, contained directly in the authorization data, is as
follows. The top-level structure is the PACTYPE structure:
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
ULONG cBuffers;
ULONG Version;
PAC_INFO_BUFFER Buffers[1];
} PACTYPE;
The fields are defined as follows:
cBuffers - contains the number of entries in the array Buffers
Version - this is version zero
Buffers - contains a conformant array of PAC_INFO_BUFFER structures
The PAC_INFO_BUFFER structure contains information about each piece of the PAC:
typedef struct _PAC_INFO_BUFFER {
ULONG ulType;
ULONG cbBufferSize;
ULONG64 Offset;
} PAC_INFO_BUFFER;
Type fields are defined as follows:
ulType - contains the type of data contained in this buffer. For Windows 2000, it may be one of the
following, which are explained further below:
#define PAC_LOGON_INFO 1
#define PAC_CREDENTIAL_TYPE 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10
Offset - contains the offset to the beginning of the data, in bytes, from the beginning of the
PACTYPE structure. The data offset must by a multiple of 8. If the data pointed to by this field is
complex, the data is typically NDR encoded. If the data is simple (indicating it includes no pointer
types or complex structures) it is a little-endian format data structure.
PAC Credential Information
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of
the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR
encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type
PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
UNICODE_STRING EffectiveName;
UNICODE_STRING FullName;
UNICODE_STRING LogonScript;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved[4];
UNICODE_STRING LogonServer;
UNICODE_STRING LogonDomainName;
PSID LogonDomainId;
ULONG Reserved1[2];
ULONG UserAccountControl;
ULONG Reserved3[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;
The fields are defined as follows:
LogonTime - the time the client last logged on.
LogoffTime - the time at which the clients logon session should expire. If the logon session should
not expire, this field should be set to (0x7fffffff,0xffffffff).
KickOffTime - the time at which the server should forcibly logoff the client. If the client should not be
forced off, this field should be set to (0x7fffffff,0xffffffff). The ticket end time is a replacement for the
KickOffTime. The service ticket lifetime will never be longer than the KickOffTime for a user.
PasswordLastSet - the time the clients password was last set. If it was never set, this field is zero.
PasswordCanChange - the time at which the clients password is allowed to change. If there is no
restriction on when the client may change its password, this field should be set to the time of the
logon.
PasswordMustChange - the time at which the clients password expires. If it doesnt expire, this field
is set to (0x7fffffff,0xffffffff).
EffectiveName - This field contains the clients Windows 2000 UserName, stored in the Active
Directory in the SamAccountName property. This field is optional. If left blank the length, maxlength
and buffer are all zero.
FullName - this field contains the friendly name of the client, which is used only for display purpose
and not security purposes. This field is optional. If left blank the length, maxlength and buffer are all
zero.
LogonScript - This field contains the path to the clients logon script. This field is optional. If left blank
the length, maxlength and buffer are all zero.
ProfilePath - This field contains the path to the clients profile. This field is optional. If left blank the
length, maxlength and buffer are all zero.
HomeDirectory - This field contains the path to the clients home directory. It may be either a local
path name or a UNC path name. This field is optional. If left blank the length, maxlength and buffer
are all zero.
HomeDirectoryDrive - This field is only used if the clients home directory is a UNC path name. In that
case, the share on the remote file server is mapped to the local drive letter specified by this field.
This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonCount - This field contains the count of how many times the client is currently logged on. This
statistic is not accurately maintained by Windows 2000 and should not be used.
BadPasswordCount - This field contains the number of logon or password change attempts with
bad passwords, since the last successful attempt.
* UserId - This field contains the relative Id for the client.
PrimaryGroupId - This field contains the relative ID for this clients primary group.
* GroupCount - This field contains the number of groups, within the clients domain, to which the
client is a member.
* GroupIds - This field contains an array of the relative Ids and attributes of the groups in the clients
domain of which the client is a member.
* UserFlags - This field contains information about which fields in this structure are valid. The two bits
that may be set are indicated below. Having these flags set indicates that the corresponding fields
in the KERB_VALIDATION_INFO structure are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonServer - This field contains the NETBIOS name of the KDC which performed the AS ticket
request.
LogonDomainName - This field contains the NETBIOS name of the clients domain.
* LogonDomainId - This field contains the SID of the clients domain. This field is used in conjunction
with the UserId, PrimaryGroupId,and GroupIds fields to create the user and group SIDs for the client.
UserAccountControl - This fields contains a bitfield of information about the clients account. Valid
values are:
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)
* SidCount - This field contains the number of SIDs present in the ExtraSids field. This field is only valid
if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ExtraSids - This field contains a list of SIDs for groups to which the user is a member. This field is only
valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ResouceGroupCount - This field contains the number of resource groups in the ResourceGroupIds
field. This field is only valid if the LOGON RESOURCE_GROUPS flag has been set in the UserFlags
field._
* ResourceGroupDomainSid - This field contains the SID of the resource domain. This field is used in
conjunction with the ResourceGroupIds field to create the group SIDs for the client.
* ResourceGroupIds - This field contains an array of the relative Ids and attributes of the groups in
the resource domain of which the resource is a member.
Fields marked with a '*' are used in the NT token.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The FILETIME type is defined as
follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;
Times are encoded as the number of 100 nanosecond increments since January 1, 1601, in UTC
time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The UNICODE_STRING structure is
defined as:
typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
} UNICODE_STRING;
The Length field contains the number of bytes in the string, not including the null terminator, and the
MaximumLength field contains the total number of bytes in the buffer containing the string.
The GROUP_MEMBERSHIP structure contains the relative ID of a group and the corresponding
attributes for the group.
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
The group attributes must be:
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
The constant value for the NT Authority is:
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
} SID, *PSID;
The SubAuthorityCount field contains the number of elements in the actual SubAuthority
conformant array. The maximum number of subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and their corresponding
attributes:
typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
The attributes are the same as the group attributes defined above.
Client Information
The client information is included in the PAC to allow a server to verify that the PAC in a ticket is
applicable to the client of the ticket, which prevents splicing of PACs between tickets. The
PAC_CLIENT_INFO structure is included in a PAC_INFO_BUFFER of type PAC_CLIENT_INFO_TYPE.
typedef struct _PAC_CLIENT_INFO {
FILETIME ClientId;
USHORT NameLength;
WCHAR Name[1];
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
The fields are defined as follows:
ClientId - This field contains a conversion of the AuthTime field of the ticket into a FILETIME structure.
NameLength - This field contains the length, in bytes, of the Name field.
Name - This field contains the client name from the ticket, converted to Unicode and encoded
using "/" to separate parts of the client principal name with an "@" separating the client principal
name from the realm name. The string is not null terminated.
Supplemental Credentials
The KDC may return supplemental credentials in the PAC as well. Supplemental credentials are
data associated with a security package that is private to that package. They can be used to
return an appropriate user key that is specific to that package for the purposes of authentication.
Supplemental creds are only used in conjunction with PKINIT[2]. Supplemental credentials are
always encrypted using the client key. The PAC_CREDENTIAL_DATA structure is NDR encoded and
then encrypted with the key used to encrypt the KDCs reply to the client. The
PAC_CREDENTIAL_INFO structure is included in PAC_INFO_BUFFER of type PAC_CREDENTIAL_TYPE.
Supplemental credentials for a single package are NDR encoded as follows:
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
[size_is(CredentialSize)]PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
The fields in this structure are defined as follows:
PackageName - This field contains the name of the package for which credentials are presented.
CredentialSize - This field contains the length, in bytes, of the presented credentials.
Credentials - This field contains a pointer to the credential data.
The set of all supplemental credentials is NDR encoded in a PAC_CREDENTIAL_DATA structure:
typedef struct _PAC_CREDENTIAL_DATA {
ULONG CredentialCount;
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
} PAC_CREDENTIAL_DATA, *PPAC_CREDENTIAL_DATA;
The fields are defined as follows:
CredentialCount - This field contains the number of credential present in the Credentials array.
Credentials - This field contains an array of the presented supplemental credentials.
The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to
encrypt the KDC reply. The resulting buffer is returned in the following structure:
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR Data[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;
The fields are defined as follows:
Version - This field contains the version field of the key used to encrypt the data, or zero if the field is
not present.
EncryptType - This field contains the encryption type used to encrypt the data. The encryption type
uses the same values as the defined encryptions types for Kerberos [1].
Data - This field contains an array of bytes containing the encrypted supplemental credential data.
Signatures
The PAC contains two digital signatures: one using the key of the server, and one using the key of
the KDC. The signatures are present for two reasons. First, the signature with the servers key is
present to prevent a client from generating their own PAC and sending it to the KDC as encrypted
authorization data to be included in tickets. Second, the signature with the KDCs key is present to
prevent an untrusted service from forging a ticket to itself with an invalid PAC. The two signatures
are sent in PAC_INFO_BUFFERs of type PAC_SERVER_CHECKSUM and PAC_KDC_CHECKSUM
respectively.
The signatures are contained in the following structure:
typedef struct _PAC_SIGNATURE_DATA {
ULONG SignatureType;
UCHAR Signature[1];
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
The fields are defined as follows:
SignatureType - This field contains the type of checksum used to create a signature. The checksum
must be a keyed checksum.
Signature - This field consists of an array of bytes containing the checksum data. The length of bytes
may be determined by the wrapping PAC_INFO_BUFFER structure.
For the servers checksum, the key used to generate the signature should be the same key used to
encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the servers TGT
should be used. The Key used to encrypt ticket-granting tickets is used to generate the KDCs
checksum.
The checksums are computed as follows:
1. The complete PAC is built, including space for both checksums
2. The data portion of both checksums is zeroed.
3. The entire PAC structure is checksummed with the servers key, and the result is stored in the
servers checksum structure.
4. The servers checksum is then checksummed with the KDC's key.
5. The checksum with the KDC key is stored in the KDC's checksum structure.
PAC Request Pre-Auth Data
Normally, the PAC is included in every pre-authenticated ticket received from an AS request.
However, a client may also explicitly request either to include or to not include the PAC. This is done
by sending the PAC-REQUEST preauth data.
KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN -- if TRUE, and no PAC present,
-- include PAC.
---If FALSE, and PAC
-- present, remove PAC
}
The fields are defined as follows:
include-pac - This field indicates whether a PAC should be included or not. If the value is TRUE, a
PAC will be included independent of other preauth data. If the value is FALSE, then no PAC will be
included, even if other preauth data is present.
The preauth ID is:
#define KRB5_PADATA_PAC_REQUEST 128
References
1 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network Authentication Service (V5)", draft-ietf-cat-kerberos-
revisions-05.txt, March 10, 2000
2 Tung, B., Hur, M., Medvinsky, A., Medvinsky, S., Wray, J., Trostle, J., " Public Key Cryptography for
Initial Authentication in Kerberos", draft-ietf-cat-kerberos-pk-init-11.txt, March 15, 2000
) 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.

Logic flaw

[GeorgeH]

"You must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information."

Since we release our source code for the world to see, we should take the same precautions with their specifications, right? Since the precaution we take is by applying the GPL to our source, the same should be done with their spec. I guess they forgot that not everyone has been assimilated yet.
--

Re:Loophole?

[myconid]

Heres a good loophole. Install Winrar, right click on the icon and select OPEN WITH WINRAR, extract the file. Whats a license? I never saw one..

Re:Is "Kerberos" trademarked?

[Jeremy+Allison+-+Sam]

> Of course the /. folks go silly over a
> boilerplate licensing agreement

Come now, this is hardly a "boilerplate licensing agreement". This is a deliberate attempt to keep control of the spec. and make it unimplementable in open code.

This is not what *anyone* in the Open Source community or at MIT had in mind when they asked Microsoft for the spec, something I have personally been doing for 2+ years.

> I don't want to say who I am but I'm "in the
> know"

Yeah, yeah, easy to say anonymously. I'd feel happier seeing a statement from folks I actually *know* and trust at Microsoft that this was a licensing screwup that will get fixed soon, but I'm not holding my breath.

Regards,

Jeremy Allison,
Samba Team.

Re:Is "Kerberos" trademarked?

[Jeremy+Allison+-+Sam]

> I think is that in order for their SMB client
> (ie, microsoft networking) to use Kerberos
> authentication when connecting to an SMB file
> server, it requires the use
> of their proprietary extension to kerberos, the
> priveledge attribute certificate - PAC.
> Apparently the Samba developers ran into this
> problem while trying to add kerberos support to
> samba and make it work with windows 2000

No, this is not true at all. Samba doesn't *need* this PAC format except as an optimization. See my posting below in this.

The MIT kerberos and Heimdal developers need to implement this PAC format, something explicitly denied to them in this license.

Regards,

Jeremy Allison,
Samba Team.

Heh, I like this. Get some teens on it!

[hatless]

Not sure what a court would make any of this.. a proprietary grab at an IETF task force submission (itself similar to the patent application for stylesheets last year).

Maybe the answer is to get some 15-year-old programmers to merge this into the Samba, OpenLDAP and standard Kerberos code trees.

In any case, this certainly poisons the well. Releasing the specs of their changes like this is worse than keeping it closed: it will make it extremely difficult for an unpolluted clean-room implementation of the modified protocol to be accepted into anything, as anyone who has reviewed this spec may well be barred from participating in even a reverse-engineered implementation.

This is brilliantly evil.

I wonder if the PDFs are individually watermarked to track *who* leaked a given copy. I don't think I've ever seen Microsoft publish anything as a PDF before. They usually pass this stuff out as HTML or a Word document.

Re:Full text

[arivanov]

Erm... we need a new /. moderator category: "illegal"

Yes we do. With a +2 rating.

The fud'din difference...

[sterno]

The difference is that in the microsoft realm, this is the process:

embrace -> extend

In open source, this is the process:

embrace -> extend -> publish extensions

Open source advocates are very happy to back extension and improvement of a standard as long as it is a PUBLISHED standard. When a company adds an extension and refuses to publish it, they create incompatibility (or in other parlance, competitive advantage).

Microsoft, historically, has extended things purely as a means of maintaining control. They don't actually enhance anything, they just attempt to maintain their monopoly. This appears to be yet another case of the same thing.

---

Get around the license ... ?

[Sehnsucht]

Isn't it true that minors can't agree to such licenses, or something like that? If so, I could have my lil bro download and click, then I could copy the PDF elsewhere.. hehe

Re:Defeating Trade Secrets 101:

[dillon_rinker]

I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.

I wouldn't do that. It's still copyrighted, and if you are associated with any group that "reverse engineers" the specs, whatever prodcut you create could get tied up in court for a long time. Distributing MS's copyrighted info could also get you into legal hot water.

Now, if you're up for some work, what you could do is rewrite the whole thing, while preserving the ideas - copyright doesn't cover that. Or you could tell people how to get this. But don't make yourself a target for MS's legal division; that's completely unnecessary.

can this be bypassed?

[Vlad_the_Inhaler]

So what happens if someone in Usbekistan grabs the specs and puts them up on the net? Does this then make them publicly available and the person who did this liable for prosecution in a country that could not care less anyway?

The GPL (for instance) is routinely ignored in China so China would seem be another good candidate.

Does this hamper legitimate reverse-engineering?

[interiot]

IANAL (and when I pretend to be, I'm often wrong (WIPTBIOW)), so feel free to give counterarguments if you think of any.

Does this hamper legitimate reverse-engineering of the product?

Before, the implementation details were not known except for inside microsoft, so if someone implemented it, it was assumed that they reverse-engineered it. If MS wanted to say that secrets were stolen from within MS, then MS had the burden of proof.

Now, the details are out in the open, but unusable. So if someone implements it now, it's up to them to prove that they used clean room reverse-engineering. Furthermore, they might have to show that those in the clean room had never seen the public-but-secret document before.
--

kerberos.pdf unzipped and unlicensed!

[BlueUnderwear]

> So, what if some unknown person, logged on from a public access PC (such as at a library), downloaded this stuff, then posted it, sans license, on a free website, such as geocities?

You're wish has been granted: kerberos.pdf

Kerberos.pdf unzipped, unfeathered and unencumberd

[BlueUnderwear]

Download it here. It's unzipped, and that pesky footer on each page has been removed too. Enjoy!

Why does this rule out a competing implementation?

[Loge]

whilst making it completely impossible to implement in competiting implementations which implements their propietary protocol extensions

Huh? It looks to me like these conditions just specify what is required to gain access to the specification...I don't see anything that prohibits development competing implementation without Microsoft's consent. This agreement simply allows Microsoft to keep track of who sees the spec, nothing more.

You can speculate on how they use this information, and how they might react in the future when competing implementations do appear, but that has nothing to do with who can or can't implement the extensions themselves.

Re:Full text

[user]

Erm... we need a new /. moderator category: "illegal"

INAL, but I believe that things of the nature of this "trade secret" fall under the same logic as copyrights - that is, as long as the provider, Microsoft, has made a good faith attempt to inform the recipients that the material has certain restrictions - which they have done - the material, and the recipient(s) are indeed bound by the restrictions (unless the restrictions themselves are found to be illegal). You can't download the information directly from MS without being informed of the existence of the license, and thus (assuming the license itself is legal), you are bound by it even if you creatively bypass the license itself.

While individuals who may happen to receive the information through non-MS distribution channels are probably not breaking the license (if they can plausibly be unaware of its existence and circumvention), this is not to say that they are not bound by the "thou shalt not implement" clause, as this right was never bestowed by MS upon the original recipient.

This would be analagous to me stealing something from CmdrTaco and giving it to you, not telling you where I got it from. You don't suddenly own the object, even though you didn't know it was stolen, and would be required to return it to CmdrTaco - and most likely any economic loss you suffered would be owed to you by me, the person who broke the law in the first place.

-User

Why circumvent the license.....

[ChadM]

when you can simply ignore it and continue using the REAL kerberos protocol(if you wish). Microsoft is trying to be sneaky by saying "maybe if we make it seem like we don't want people to use this they will use it even more." Look through it and realize that apps written utilizing this protocol will only tell Microsoft that their little ploy worked. If it keels over and dies they might realize "hah maybe we should just stick to the REAL protocols." I'm not an expert in the way all that stuff works but it seems fairly obvious to me what they're trying to do

Oh

[jbarnett]

Who would have thought that you could publish a trade secret on the web

Oh dam, I bet that is why I was fired from Coke-a-cola... it is all so clear now.

Lawyer-judo

[Silicon+Rat]

If somebody were to accidentally-brutally table this as evidence in a court case, it would become a matter of public record Be a shame that.

Yes! Embrace and extend Microsoft!

That's the way to do it. Propose an extension of Kerberos that uses this field. After all, there's no published use for this field by anybody, so it's free for the using, right? :-)

Make it similar to but not the same as what MS is doing so that MS's version is broken. (Gee, where have we seen that tactic before?). And we could even use the .pdf file to do it -- we're not implementing a compatible version, now are we? And after reviewing the MS doc "for security analysis", we decided that it wasn't quite up to snuff in the security arena (because it doesn't allow for secure authentication with non-MS systems).

Posting the data is all well and good, but....

[smartin]

What happens to the people that implement it (ie. the Samba guys) even if they obtain the information without intentionally breaking the license. Are they exposing themselves to expensive litigation? Are they endangering the project?

Ignore Microsoft's release, don't break license

[jonabbey]

I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.

The bigger issue here is that spreading stuff that Microsoft has indicated is not for distribution (and implementation) is no more morally respectable than someone ignoring inconvenient provisions in the Gnu General Public License. There may be a legal question as to whether anyone requires a license from Microsoft to implement any kind of spec, but taking the attitude that we have the right to take possession of their stuff is problematic at best.

We don't want people to get the idea that free software / open source software people are thieves, we want them to get the idea that we are better because we are willing to do hard work on our own.

Until a lawyer comes along and officially says that Microsoft's attempt at doing an orwellian double think specification release runs afoul of the law, leave this stuff alone.

Microsoft Instant Messenger

[ink]

So open standards are passe, eh Microsoft?

Remeber the AOL vs. IM debacle? When AOL refused to allow IM to work with AIM, Microsoft wanted a standards agency to govern some sort of instant message standard. Well, well, well, now we have a real, open RFC standard defining Kerberos, but do they want it?

This is typical Microsoft. They have some of the most excellent coders, and excellent people in other fields working there, but they also have some of the most selfish policies in the industry.

The wheel is turning but the hamster is dead.

The license is still all over the damn thing

[JPelorat]

It's printed on every page. Extracting it from the file without reading that license gets you nowhere, cos the first paragraph says you have to have licensed it to read further. And then it's at the bottom of every page after that.

Extracting it from the cab file doesn't do you any good. It certainly doesn't let you bypass the license.

Loophole?

[SgtPepper]

at least as great as the precautions you take to protect your own confidential information

Well hrm....what if I /don't/ take any precautions to protect my confidential information?

Or less crazy, what if the precautions I /do/ take aren't that great?

Just a thought...

Besides, shouldn't we be at least somewhat glad they did THIS. They didn't HAVE to. And yeah it's still stupid that they messed with Kerberos, but this is one step farther that they wouldn't have gone before.

So far they're acting better then nVidia.

Oooo, that's gonna piss someone off ;)

Re:Loophole?

[ka9dgx]

http://warot.com/freedom/kerbspec.pdf
What happens now?
--Mike--

Re:Loophole?

[RickyRay]

Seems to me like we could eliminate the entire issue by convincing the official maintainers of Kerberos to give an official use for the byte M$ took over (in the next release). Then the only way M$ would be able to remain compliant with the spec is to remove their proprietary addon.

The freedom to innovate

[Croaker]

Well, you got to give Microsoft credit. Their ability to reveal their additions to a perfectly good public standard in such a way as to remain propretary is certainly innovative.

Trade secret == open season

[seebs]

Remember, you're allowed to try to *obtain* a trade secret, and once you do, if you haven't agreed to anything, it's no longer a secret.

Trade secrets enjoy very little legal protection, unlike other kinds of information. They can't sue you for infringement, for instance.

So, if someone is able to *extract* the information from the .exe, without running it or agreeing to anything, that's well and good.

Trade secrets are a poor form of "security".

Not for interoperability!

[MeanGene]

The license states that

the Specification is provided...for the sole purpose of reviewing the Specification for security analysis.

And later: Microsoft does not grant you any right to implement this Specification.

I guess, if you want to make anything else out of it, you'd be in violation of everything and anything...

Ahhhh....

[SvnLyrBrto]

Anonymous computer time at Kinkos: $.20/minute...

Anonymous Geocities site to host the file: $0.00

The looks on Gates and Ballmer's faces as their "trade secret" is mirrored on thousands of sites worldwide....

... Priceless!

john

Re:Is "Kerberos" trademarked?

[altair1]

win2000 actually will work with standard Kerberos services, to an extent. For instance, I set up a win2k workstation to authenticate logons against a unix KDC. You can also do some other small things, like ticket management while using a standard Kerberos KDC. But that is about the extent of their support for standard kerberos, at least as far as I know. The telnet and FTP clients are not Kerberized, and nothing in internet explorer is as far as I could tell.

The problem raised in this article I think is that in order for their SMB client (ie, microsoft networking) to use Kerberos authentication when connecting to an SMB file server, it requires the use of their proprietary extension to kerberos, the priveledge attribute certificate - PAC. Apparently the Samba developers ran into this problem while trying to add kerberos support to samba and make it work with windows 2000 (using Kerberos authentication. Samba will still work with win2k using the older auth methods).

So win2k does support standard kerberos, but not in enough applications (like file sharing, telnet, ftp, IE) for users to actually do anything usefull when working with a unix KDC. I suppose they might have just added this support so they could say win2k is compliant with that standard. If they ever do implement kerberos in any of their other apps, some of which I mentioned, it will probably be equally broken.

It's just a CAB file

[Sami]

As most Microsoft's self-extracting files, this one is only a CAB file and therefore, you can simply use a program like WinZip to extract the PDF document.

Will scrutiny of MS ever work?

[tjwhaynes]

I'm amazed. Truely amazed. Given that nobody could be under any illusions at all that Microsoft was very much in the eye of the world at a time when the abuse of monopoly power has just been acknowledged by the courts, you would have thought that Microsoft would be on its best behaviour until the dust settled. But no.

And it's not just the Kerberos 'embrace and extend' play which has surfaced. The story going around about the Bill Gates 'smoking gun' memo on altering Windows 2000 apps to make life harder for people with Palm Pilots has also just appeared. A large part of the DOJ/ US States proposal is that MS be split up *and* be subjected to 3 years of scrutiny under fairly draconian terms. So the last thing that MS could possibly want is to make the need for scrutiny mandatory and yet this is, in all effective purposes, exactly what moves like this are liable to do - leave the courts/govt no choice except to constantly sit on the coat tails of MS and see where they are going.

Cheers,

Toby Haynes

Double Blind Reverse Engineer

[Kagato]

It's not like companies don't get around this stuff all the time. It just takes a little more effort. You need to have a double blind. Basically doing the same thing that Compaq did with IBM's BIOS on the PC.

The first part is person to write a spec. This spec. should detail how you want something to work. "When the client does X the server should respond with Y". Etc. etc.

This person will have no other role. This person should not be associated with the developement of the MS extentions. Nor should he know any of the people who will be working on this.

His work should be handed to a third party who will deliver his spec to the developement team. Reverse engineering shall begin. It's a pain to do, but it is workable.

At any case there should be a nice stink made about this. I suggest that anyone who is a microsoft support customer contact your TAM or GTAM and let them know that this stinks.

Full text

© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 1 of 12
Microsoft Authorization Data Specification v. 1.0
for Microsoft Windows 2000 Operating Systems
April, 2000
© 2000 Microsoft Corporation.
All rights reserved.
Microsoft Confidential
Please review this Specification copy only if you licensed and downloaded it from Microsoft
Corporation's website; if you did not, please destroy this copy, but you are welcome to license the
Specification at http://www.microsoft.com/technet/security/kerberos .
If you are an authorized licensee, when you downloaded the following Specification, you agreed
to the Agreement for Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000
Operating Systems (the "Agreement"). For your future reference, that Agreement is reproduced at
the end of this document.
Abstract
Microsoft Windows 2000 includes OS specific data in the Kerberos V5 authorization data field that is
used for authorization as described in the Kerberos revisions Internet Draft [1]. This data is used for
user logon and to create an access token. The access token is used by the system to enforce
access checking when attempting to reference objects. This document describes the structure of
the Windows 2000 specific authorization data that is carried in that field.
Top-Level PAC Structure
The PAC is generated by the KDC under the following conditions:
during an AS request that has been validated with pre-authentication
during a TGS request when the client has no PAC and the target is a service in the domain or a
ticket granting service (referral ticket).
The PAC itself is included in the IF-RELEVANT (ID 1) portion of the authorization data in a ticket.
Within the IF-RELEVANT portion, it is encoded as a KERB_AUTH_DATA_PAC with ID 128.
The PAC is defined as a C data type, with integers encoded in little-endian order. The PAC itself is
made up of several layers. The outer structure, contained directly in the authorization data, is as
follows. The top-level structure is the PACTYPE structure:

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 2 of 12
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
ULONG cBuffers;
ULONG Version;
PAC_INFO_BUFFER Buffers[1];
} PACTYPE;
The fields are defined as follows:
cBuffers - contains the number of entries in the array Buffers
Version - this is version zero
Buffers - contains a conformant array of PAC_INFO_BUFFER structures
The PAC_INFO_BUFFER structure contains information about each piece of the PAC:
typedef struct _PAC_INFO_BUFFER {
ULONG ulType;
ULONG cbBufferSize;
ULONG64 Offset;
} PAC_INFO_BUFFER;
Type fields are defined as follows:
ulType - contains the type of data contained in this buffer. For Windows 2000, it may be one of the
following, which are explained further below:
#define PAC_LOGON_INFO 1
#define PAC_CREDENTIAL_TYPE 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10
Offset - contains the offset to the beginning of the data, in bytes, from the beginning of the
PACTYPE structure. The data offset must by a multiple of 8. If the data pointed to by this field is
complex, the data is typically NDR encoded. If the data is simple (indicating it includes no pointer
types or complex structures) it is a little-endian format data structure.

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 3 of 12
PAC Credential Information
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of
the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR
encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type
PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
UNICODE_STRING EffectiveName;
UNICODE_STRING FullName;
UNICODE_STRING LogonScript;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved[4];
UNICODE_STRING LogonServer;
UNICODE_STRING LogonDomainName;
PSID LogonDomainId;
ULONG Reserved1[2];
ULONG UserAccountControl;
ULONG Reserved3[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;
The fields are defined as follows:
LogonTime - the time the client last logged on.

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 4 of 12
LogoffTime - the time at which the client's logon session should expire. If the logon session should
not expire, this field should be set to (0x7fffffff,0xffffffff).
KickOffTime - the time at which the server should forcibly logoff the client. If the client should not be
forced off, this field should be set to (0x7fffffff,0xffffffff). The ticket end time is a replacement for the
KickOffTime. The service ticket lifetime will never be longer than the KickOffTime for a user.
PasswordLastSet - the time the client's password was last set. If it was never set, this field is zero.
PasswordCanChange - the time at which the client's password is allowed to change. If there is no
restriction on when the client may change its password, this field should be set to the time of the
logon.
PasswordMustChange - the time at which the client's password expires. If it doesn't expire, this field
is set to (0x7fffffff,0xffffffff).
EffectiveName - This field contains the client's Windows 2000 UserName, stored in the Active
Directory in the SamAccountName property. This field is optional. If left blank the length, maxlength
and buffer are all zero.
FullName - this field contains the friendly name of the client, which is used only for display purpose
and not security purposes. This field is optional. If left blank the length, maxlength and buffer are all
zero.
LogonScript - This field contains the path to the client's logon script. This field is optional. If left blank
the length, maxlength and buffer are all zero.
ProfilePath - This field contains the path to the client's profile. This field is optional. If left blank the
length, maxlength and buffer are all zero.
HomeDirectory - This field contains the path to the client's home directory. It may be either a local
path name or a UNC path name. This field is optional. If left blank the length, maxlength and buffer
are all zero.
HomeDirectoryDrive - This field is only used if the client's home directory is a UNC path name. In that
case, the share on the remote file server is mapped to the local drive letter specified by this field.
This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonCount - This field contains the count of how many times the client is currently logged on. This
statistic is not accurately maintained by Windows 2000 and should not be used.
BadPasswordCount - This field contains the number of logon or password change attempts with
bad passwords, since the last successful attempt.
* UserId - This field contains the relative Id for the client.
PrimaryGroupId - This field contains the relative ID for this client's primary group.
* GroupCount - This field contains the number of groups, within the client's domain, to which the
client is a member.
* GroupIds - This field contains an array of the relative Ids and attributes of the groups in the client's
domain of which the client is a member.
* UserFlags - This field contains information about which fields in this structure are valid. The two bits
that may be set are indicated below. Having these flags set indicates that the corresponding fields
in the KERB_VALIDATION_INFO structure are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonServer - This field contains the NETBIOS name of the KDC which performed the AS ticket
request.

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 5 of 12
LogonDomainName - This field contains the NETBIOS name of the client's domain.
* LogonDomainId - This field contains the SID of the client's domain. This field is used in conjunction
with the UserId, PrimaryGroupId,and GroupIds fields to create the user and group SIDs for the client.
UserAccountControl - This fields contains a bitfield of information about the client's account. Valid
values are:
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)
* SidCount - This field contains the number of SIDs present in the ExtraSids field. This field is only valid
if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ExtraSids - This field contains a list of SIDs for groups to which the user is a member. This field is only
valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ResouceGroupCount - This field contains the number of resource groups in the ResourceGroupIds
field. This field is only valid if the LOGON RESOURCE_GROUPS flag has been set in the UserFlags
field._
* ResourceGroupDomainSid - This field contains the SID of the resource domain. This field is used in
conjunction with the ResourceGroupIds field to create the group SIDs for the client.
* ResourceGroupIds - This field contains an array of the relative Ids and attributes of the groups in
the resource domain of which the resource is a member.
Fields marked with a '*' are used in the NT token.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The FILETIME type is defined as
follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 6 of 12
Times are encoded as the number of 100 nanosecond increments since January 1, 1601, in UTC
time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The UNICODE_STRING structure is
defined as:
typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
} UNICODE_STRING;
The Length field contains the number of bytes in the string, not including the null terminator, and the
MaximumLength field contains the total number of bytes in the buffer containing the string.
The GROUP_MEMBERSHIP structure contains the relative ID of a group and the corresponding
attributes for the group.
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
The group attributes must be:
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
The constant value for the NT Authority is:
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 7 of 12
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
} SID, *PSID;
The SubAuthorityCount field contains the number of elements in the actual SubAuthority
conformant array. The maximum number of subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and their corresponding
attributes:
typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
The attributes are the same as the group attributes defined above.
Client Information
The client information is included in the PAC to allow a server to verify that the PAC in a ticket is
applicable to the client of the ticket, which prevents splicing of PACs between tickets. The
PAC_CLIENT_INFO structure is included in a PAC_INFO_BUFFER of type PAC_CLIENT_INFO_TYPE.
typedef struct _PAC_CLIENT_INFO {
FILETIME ClientId;
USHORT NameLength;
WCHAR Name[1];
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
The fields are defined as follows:
ClientId - This field contains a conversion of the AuthTime field of the ticket into a FILETIME structure.
NameLength - This field contains the length, in bytes, of the Name field.
Name - This field contains the client name from the ticket, converted to Unicode and encoded
using "/" to separate parts of the client principal name with an "@" separating the client principal
name from the realm name. The string is not null terminated.
Supplemental Credentials
The KDC may return supplemental credentials in the PAC as well. Supplemental credentials are
data associated with a security package that is private to that package. They can be used to
return an appropriate user key that is specific to that package for the purposes of authentication.
Supplemental creds are only used in conjunction with PKINIT[2]. Supplemental credentials are
always encrypted using the client key. The PAC_CREDENTIAL_DATA structure is NDR encoded and

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 8 of 12
then encrypted with the key used to encrypt the KDC's reply to the client. The
PAC_CREDENTIAL_INFO structure is included in PAC_INFO_BUFFER of type PAC_CREDENTIAL_TYPE.
Supplemental credentials for a single package are NDR encoded as follows:
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
[size_is(CredentialSize)]PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
The fields in this structure are defined as follows:
PackageName - This field contains the name of the package for which credentials are presented.
CredentialSize - This field contains the length, in bytes, of the presented credentials.
Credentials - This field contains a pointer to the credential data.
The set of all supplemental credentials is NDR encoded in a PAC_CREDENTIAL_DATA structure:
typedef struct _PAC_CREDENTIAL_DATA {
ULONG CredentialCount;
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
} PAC_CREDENTIAL_DATA, *PPAC_CREDENTIAL_DATA;
The fields are defined as follows:
CredentialCount - This field contains the number of credential present in the Credentials array.
Credentials - This field contains an array of the presented supplemental credentials.
The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to
encrypt the KDC reply. The resulting buffer is returned in the following structure:
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR Data[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;
The fields are defined as follows:
Version - This field contains the version field of the key used to encrypt the data, or zero if the field is
not present.

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 9 of 12
EncryptType - This field contains the encryption type used to encrypt the data. The encryption type
uses the same values as the defined encryptions types for Kerberos [1].
Data - This field contains an array of bytes containing the encrypted supplemental credential data.
Signatures
The PAC contains two digital signatures: one using the key of the server, and one using the key of
the KDC. The signatures are present for two reasons. First, the signature with the server's key is
present to prevent a client from generating their own PAC and sending it to the KDC as encrypted
authorization data to be included in tickets. Second, the signature with the KDC's key is present to
prevent an untrusted service from forging a ticket to itself with an invalid PAC. The two signatures
are sent in PAC_INFO_BUFFERs of type PAC_SERVER_CHECKSUM and PAC_KDC_CHECKSUM
respectively.
The signatures are contained in the following structure:
typedef struct _PAC_SIGNATURE_DATA {
ULONG SignatureType;
UCHAR Signature[1];
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
The fields are defined as follows:
SignatureType - This field contains the type of checksum used to create a signature. The checksum
must be a keyed checksum.
Signature - This field consists of an array of bytes containing the checksum data. The length of bytes
may be determined by the wrapping PAC_INFO_BUFFER structure.
For the server's checksum, the key used to generate the signature should be the same key used to
encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the server's TGT
should be used. The Key used to encrypt ticket-granting tickets is used to generate the KDC's
checksum.
The checksums are computed as follows:
1. The complete PAC is built, including space for both checksums
2. The data portion of both checksums is zeroed.
3. The entire PAC structure is checksummed with the server's key, and the result is stored in the
server's checksum structure.
4. The server's checksum is then checksummed with the KDC's key.
5. The checksum with the KDC key is stored in the KDC's checksum structure.

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 10 of 12
PAC Request Pre-Auth Data
Normally, the PAC is included in every pre-authenticated ticket received from an AS request.
However, a client may also explicitly request either to include or to not include the PAC. This is done
by sending the PAC-REQUEST preauth data.
KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN -- if TRUE, and no PAC present,
-- include PAC.
---If FALSE, and PAC
-- present, remove PAC
}
The fields are defined as follows:
include-pac - This field indicates whether a PAC should be included or not. If the value is TRUE, a
PAC will be included independent of other preauth data. If the value is FALSE, then no PAC will be
included, even if other preauth data is present.
The preauth ID is:
#define KRB5_PADATA_PAC_REQUEST 128
References
1 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network Authentication Service (V5)", draft-ietf-cat-kerberos-
revisions-05.txt, March 10, 2000
2 Tung, B., Hur, M., Medvinsky, A., Medvinsky, S., Wray, J., Trostle, J., " Public Key Cryptography for
Initial Authentication in Kerberos", draft-ietf-cat-kerberos-pk-init-11.txt, March 15, 2000

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
Page 11 of 12
Legal Notice
This Specification is provided to you pursuant to the terms and conditions of the Agreement for
Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000 Operating Systems (the
"Agreement") for the sole purpose of allowing you to review the Specification for security analysis,
as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an
authorized licensee of the Specification.
For your reference, the Agreement is reproduced below.
Agreement for Microsoft Authorization Data Specification v. 1.0
for Microsoft Windows 2000 Operating Systems
IMPORTANT--READ CAREFULLY: This Microsoft Agreement ("Agreement") is a legal agreement between you (either
an individual or a single entity) and Microsoft Corporation ("Microsoft") for the version of the Microsoft
specification identified above which you are about to download ("Specification"). BY DOWNLOADING,
COPYING OR OTHERWISE USING THE SPECIFICATION, YOU AGREE TO BE BOUND BY THE TERMS OF THIS
AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT DOWNLOAD, COPY, OR USE THE
SPECIFICATION.
The Specification is owned by Microsoft or its suppliers and is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws and treaties.
1. LICENSE.
(a) Provided that you comply with all terms and conditions of this Agreement, including without limitation
subsections (b)-(d) below, Microsoft grants to you the following non-exclusive, worldwide, royalty-free,
non-transferable, non-sublicenseable license, under any copyrights or trade secrets owned or
licensable by Microsoft without payment of consideration to unaffiliated third parties, to reproduce
and use a reasonable number of copies of the Specification in its entirety for the sole purpose of
reviewing the Specification for security analysis. By way of clarification of the foregoing, the
Specification is provided to you solely for your informational purposes (for review as specified above)
and, pursuant to this Agreement, Microsoft does not grant you any right to implement this
Specification.
(b) The Specification is confidential information and a trade secret of Microsoft. Therefore, you may not
disclose the Specification to anyone else (except as specifically allowed below), and you must take
reasonable security precautions, at least as great as the precautions you take to protect your own
confidential information, to keep the Specification confidential. If you are an entity, you may disclose
the Specification to your full-time employees on a need to know basis, provided that you have
executed appropriate written agreements with your employees sufficient to enable you to comply
with the terms of this Agreement. You are also permitted to discuss the Specification with anyone else
who has downloaded the Specification and agreed to these terms and conditions.
(c) You may not remove any of the copyright notices or other legends from any copy of the
Specification.
(d) Microsoft reserves all other rights it may have in the Specification and any intellectual property therein.
Microsoft may have patents or pending patent applications, trademarks, copyrights, trade secrets or
other intellectual property rights covering subject matter in the Specification. The furnishing of this
Specification does not give you any license to these patents, trademarks, trade secrets, copyrights, or
other intellectual property rights, except as specifically set forth in subsection (a) above with respect
to certain copyrights and trade secrets.

Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
Page 12 of 12
2. ADDITIONAL LIMITATIONS.
(a) The foregoing license is applicable only to the version of the Specification which you are about to
download. It does not apply to any additional versions of or extensions to the Specification.
(b) Without prejudice to any other rights, Microsoft may terminate this Agreement if you fail to comply
with its terms and conditions. In such event you must destroy all copies of the Specification in your
possession or under your control.
3. INTELLECTUAL PROPERTY RIGHTS. All ownership, title and intellectual property rights in and to the Specification
are owned by Microsoft or its suppliers.
4. DISCLAIMER OF WARRANTIES. To the maximum extent permitted by applicable law, Microsoft and its
suppliers provide the Specification (and all intellectual property therein) AS IS AND WITH ALL FAULTS, and
hereby disclaim all warranties and conditions, either express, implied or statutory, including, but not limited to,
any (if any) implied warranties or conditions of merchantability, of fitness for a particular purpose, and of
accuracy or completeness, all with regard to the Specification and any intellectual property therein. ALSO,
THERE IS NO WARRANTY OR CONDITION OF TITLE OR NON-INFRINGEMENT WITH REGARD TO THE SPECIFICATION
AND ANY INTELLECTUAL PROPERTY THEREIN.
5. EXCLUSION OF DIRECT, INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY
DIRECT, SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT
LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR FOR BUSINESS INTERRUPTION) ARISING OUT OF OR IN ANY WAY
RELATED TO THE USE OF OR INABILITY TO USE THE SPECIFICATION, ANY INTELLECTUAL PROPERTY THEREIN, OR
OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS AGREEMENT, EVEN IF MICROSOFT OR ANY
SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
6. LIMITATION OF LIABILITY AND REMEDIES. Notwithstanding any damages that you might incur for any reason
whatsoever, the entire liability of Microsoft and any of its suppliers under any provision of this Agreement and
your exclusive remedy for all of the foregoing shall be limited to the greater of the amount actually paid by
you for the Specification or U.S.$5.00. The foregoing limitations, exclusions and disclaimers shall apply to the
maximum extent permitted by applicable law, even if any remedy fails its essential purpose.
7. APPLICABLE LAW. This Agreement is governed by the laws of the State of Washington.
8. ENTIRE AGREEMENT. This Agreement is the entire agreement between you and Microsoft relating to the
Specification and it supersedes all prior or contemporaneous oral or written communications, proposals and
representations with respect to the Specification.

Not a trade secret

[troyboy]

I am a law student and do not pretend to be qualified to give legal advice, but I think that the above posts which reveal the "secret" eliminate any basis for Microsoft to call this a trade secret. Once it is in the public, it is not a trade secret.

A similar case was presented in Religious Technology Center v. Netcom, 923 F. Supp. 1231 (N.D. Cal. 1995), where the judge held that RTC was unlikely to succeed in a trade secret suit against someone who had obtained the documents on USENET. The judge said that "although a work posted to an Internet newsgroup remains accessible to the public for only a limited time, once that trade secret has been released into the public domain there is no retrieving it."

Now, the poster may be liable for breaching the contract, but it is no longer a trade secret...

Better than a patent

[Thagg]

I don't blame you if you missed it during the DeCSS imbroglio, but this is so clear that it is unmistakable.

A way to get *permanent* protection over an idea or an implementation is to cause the secret to be leaked illegally.

Then, you sue everybody who implements the idea, at any time in the future, saying that they were inspired, or at least tainted, by the illegal release of the information. Trade secret laws do not allow the use of a secret if 'sufficient protections are taken'.

Previously, I had thought that a company would need a shill to do the publication of the secret; which is of course dangerous if the shill squeals. Microsoft has shown their ability to innovate here; publishing it as a secret sure to be 'improperly' released is a much better scheme.

thad

Re:Defeating Trade Secrets 101:

[Sloppy]

I did NOT agree (nor did I even SEE) the license, and I now have access to the .pdf file. I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.

Surely you jest. If failing to read a license causes me not to be bound by it, then maybe I'll just download the Linux kernel code, ignore the license, and call it public domain. Then, if it's public domain (and no longer GPLed), I can compile it and distribute binaries without source.

The license exists, and not reading it has no effect on whether you are licensed or not.

The power of the license, on the other hand, is quite debatable.

---

Re:Does this hamper legitimate reverse-engineering

[NMerriam]

Does this hamper legitimate reverse-engineering of the product?

No more than IBM hampered Compaq from reverse-engineering the original IBM-PC BIOS back in '83.

IBM actively published the BIOS specifications for exactly the reason you state -- it made it improbably that anyone technically capable of reverse-engineering it had not been exposed to the "trade secret". They thought it would make bulletproof legal protection.

Compaq had to search wide and far to find a team of engineeres who could swear they had never seen or heard anything about the BIOS "trade secrets". They locked them in a room with a black box version of the IBM-PC, and a second team "outside the room" (since they had been exposed to the trade secrets) would tell them whether they were hot or cold. They reverse-engineered it in one of the most important feats of the computer age.

And they kept detailed logs & journals of every step along the way so that they could prove beyond a doubt that they had succeeded in reverse-engineering the BIOS without seeing the published "secrets".

This may be, alas, further proof of Microsoft's fall -- they truly are becoming like IBM was back then, using tricks and traps to protect themselves rather than building a better mousetrap.

What's sad is that MS, Compaq, et al -- who would not exist without that single feat of engineering -- are more than happy to support laws that would prevent it from happening again (DMCA, etc).

Defeating Trade Secrets 101:

[iCEBaLM]

1. Download the evaluation copy of winzip if you don't already have it.

2. Download the dumb exe thing.

3. Open Winzip, and then open the exe WITH WINZIP.

4. Extract the PDF without agreeing to the license.

This is what I have done, I did NOT agree (nor did I even SEE) the license, and I now have access to the .pdf file. I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.

-- iCEBaLM

Re:Defeating Trade Secrets 101:

[Ephro]

Trade secrets MUST have the following conditions met to be held up in court as a trade secret:
1) have novelty
2) represent an economic investment to the claimant
3) have involved some effort in development
4) the company must show that it made some effort to keep the information a secret

In addion to this, although it is not legal to use redistribute trade secrets, the general knowledge that is learned through things that are held under trade secrecy CAN be used in the future. Another point to remember is that if something is held under trade secret copyright and patent laws DO NOT apply. It is debatable in this case whether the company tried to keep it a secret (documents downloaded by hackers have fallen under trade secret laws, but because they were not secured enough so a hacker couldn't get access the hacker has been determined to not be liable for any damages.) Also any country where there are not trade secrecy laws could download this and redistribute it. Once a trade secret is not a secret it falls into public domain.

Some information gathered from Computer Ethics, Deborah G. Johnson, 1994.

Is "Kerberos" trademarked?

[Greyfox]

If they're not conformant with a open and trademarked standard, they should not be allowed to say they are. Actually, even if it's not trademarked, I wonder if you could sue them for fraudulently misleading the customer into believing the OS will work seamlessly in their existing Kerberos network.

An easy way...

[GNUs-Not-Good]

to keep it secret. Put the pdf file on an IIS server. No one will find it there because there are no IIS exploits.