Slashdot Mirror
Kerberos, PACs And Microsoft's Dirty Tricks
Chris DiBona wrote to us with something that Ted and Jeremy (Samba Boys) wrote: "Microsoft, after getting beat up in the press for making propietary
extensions to the Kerberos protocol, has released the
specifications on the web -- but in order to get it, you have to run a
Windows .exe file which forces you agree to a click-through license
agreement where you agree to treat it as a trade secret, before it will
give you the .pdf file. Who would have thought that you could publish a
trade secret on the web?" Read more from the Samba Team below.
The critical part of the license states:
- "b. The Specification is confidential information and a trade secret of Microsoft. Therefore, you may not disclose the Specification to anyone else (except as specifically allowed below), and you must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information, to keep the Specification confidential. If you are an entity, you may disclose the Specification to your full-time employees on a need to know basis, provided that you have executed appropriate written agreements with your employees sufficient to enable you to comply with the terms of this Agreement.
The one good thing about Microsoft having pulled this dirty trick is that it makes their propietary intentions about the Windows 2000 PDC clear as day. I doubt anyone else could come up with a charitable explanation for what they've done. What a better example of Microsoft's "embrace, extend, and engulf" business model!
Jeremy Allison,
Samba Team.
Theodore Ts'o,
(former) Kerberos Development Lead
"
I call your attention to the part you quoted which says "AT LEAST as great as the precautions you take to protect your own confidential information."
What Microsoft's statement says is that the least amount of precautions you must take are those that you take with your own confidential information. You may take more, but it does not seem to require that you do so. Why would they bother including the statement above if they had expressly spelled out the precautions you must take?
How many people have to download the information before it becomes common knowledge in the industry? Is it still a trade secret if everyone knows the secret? Doesn't make a lot of sense. Seems like Microsoft is playing a game and I hope to see them lose.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
Why bother even mentioning B at all then? It seems to be completely irrelevant. Why not just say that X must be >= A then? That's why I didn't agree with the interpretation. Did they ever define A?
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
If a copyrighted work is illegally redistributed, perhaps even with a "new" license (one that could make it public domain, for example), that license is null and void since the work was obtained/distributed illegally in the first place. You can't just slap a new license on something unless you *own* that something. Anyone downloading your copy, legally, have zero rights to it. If they honestly didn't know it was ripped off, and thought the "new" license/copyright terms were the real ones, they would be fine (they'd just lose subsequent rights to the work in total).
Of course, I'm just looking at this from a simple copyright perspective. People are using terms like trade secret and patent and trademark, etc., but simple copyright law is all that you need.
They wrote the document; they can determine exactly who is allowed to get it via how it can be redistributed.
Why don't we just borrow some books from the library and transcribe the contents on web pages? People would never have to buy books again! What about movies? CD's? It's the same concept.
This may very well be the case. However, you're missing a possibly subtle point.
We're not in a war against them. We don't need to watch W2K die. We just need to continue doing our jobs -- and continue contributing to the community -- just as we've been doing.
I'm not saying that we should ignore this kind of deliberate attack; it's likely that this attack will get in the way of us doing our jobs. My point is simply that we don't have to watch W2K die. The mere fact that its supporter is Microsoft, a company who does this kind of thing, will kill it -- together with the fact that the people (us) supporting the better operating systems don't do that.
We should be known as the people willing to help other people get their jobs done, without stooping to bickering and fighting. Our motto should be something along the lines of: "It's not an operating system. It's people."
-Billy
"IT'S PEOPLE!!! YOU'VE GOT TO TELL THEM IT'S PEOPLE!! IT'S MADE OF PEOPLE!" -- Charlton Heston
IIRC, Microsoft has extended Kerberos in a standard way, that is, by using parts of the protocol which are intended to be vendor defined. I'm not sure whether they have maintained interoperability.
--
"L'IT c'est moi!"
IANAL, but I think that a trade secret can be legally protected if reasonable steps were taken to protect it. So if someone breaks in and steal your trade secret, then publishes it, other parties may be enjoined from using the information.
A court would have to decide if Microsoft took reasonable steps to protect their trade secret in this case, I'd say they didn't, but then again I'm biased.
--
"L'IT c'est moi!"
Actually, no it doesn't. It asks you to only look at the information if you have a license, it doesn't demand it. The actual wording is:
Note the use of the word "please". I'm free to ignore any requests from Microsoft Corporation, and I choose to do so here. BTW, I didn't agree to any licensing terms to get that information.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
The Samba team doesn't protect their own confidential trade sectrets very well, and surely they could use this spec if they protected the implementation equally well. Microsoft knows that of course. But hey, they're not just giving away competitive advantages all of the sudden. It's a PR stunt for sure, but it's not good enough to be just that. There _must_ be something important which is not in the spec, or which is different in the spec. What could it be ? I haven't seen the spec myself and I don't know Kerberos stuff, but somehow we're going to find out when Samba implements the spec and some sort of hell breaks lose. My best guess would be that it is related to security - call me detective ;) Could there be some blatant backdoor inherent in an implementation following the spec ? Let's hear what people who know Kerberos and the spec say...
...to create enough documents so that all that extra bits of info M$ is grabbing off your disk in Word files, which would include their kerberos source modifications, ends up being send along the bogus documents via email attachments.
Reassemble everything, and you have sources that were published by MicroSoft's own incompetence in a way they can't blame you.
Clearly you haven't extracted it enough...
Set up a pair of groups to extract it. One agrees to the terms and knows what the license is.
The other does not agree, and never looks at the docs at all. But they keep making filters which they think are likely to strip the license. They make a metric crapload of them, present them to the 1st group and asks "Are any of these licenseless?"
A bit of grepping determines the answer, and voila - a copy of the docs w/o license.
;)
(and if you think I'm a lawyer, I've got this bridge that's very affordable...)
-- This and all my posts are in the public domain. I am a lawyer. I am not your lawyer, and this is not legal advice.
IANAL, but: This issue is muddy because nobody really knows what the legal position is. There are essentially two possible cases:
-- Ed Avis ed@membled.com
ianal: It's not possible for a licence to take normal rights away (at least not without DMCA, UCITA, etc laws). The whole point of rights like fair use, parody and so on (which vary from country to country) is that they can't be taken away by the copyright holder, no matter how much crap is in the licence 'agreement'.
Now the GPL claims that a program which uses a library is a derived work of that library, but if this turns out not to be true (it's not been tested in court AFAIK) then that section of the GPL doesn't carry any weight.
Are you sure? Without the permission of whoever wrote the library? Have a look at the files for Microsoft Office, pick a DLL at random and distribute your own program linking with that DLL. See what happens.
-- Ed Avis ed@membled.com
You don't have to accept the GPL at all. But you will be violating copyright if you distribute Linux under any licence except the GPL.
-- Ed Avis ed@membled.com
Ah, but the GPL grants you additional rights that you would not normally have under copyright law.
.so, whatever-your-OS-uses) made by someone else.
While the GPL gives you certain priveledges that you wouldn't have with normal copyrighted works, it also takes some normal rights away. In particular, it's perfectly legal for me to create a proprietary program that relies on some copyrighted shared library (.dll,
If I tried to make a proprietary program that relied on a dynamically linked "libreadline" for example, I'd be in trouble though. According to RMS, GPL doesn't allow non-GPL programs to link with GPL code in this way, because the code "depends on" the GPL code.
So I can do certain things with normal copyrighted works that I cannot do within the constraints of GPL (or at least the GPL's intent, according to RMS).
The GPL lets you make derivative works based on a shared library. It just doesn't let you DISTRIBUTE those derivative works.
Fine. But my point is that with normal copyright, I can distribute works that rely on someone else's shared library. With GPL you can't legally do this, or at least RMS hopes you can't.
Just like I might make a picture and say ``its free for you to use on webpages, but you can't sell t-shirts with it.'', the GPL is the same way.
No, it's more like, "you can link to my web page only if your web page meets certain conditions". I'm talking about dynamic linking here, which is actually quite a bit like linking web pages in a sense.
That's not taking away any rights you otherwise might have had.
I think you completely missed the point. If I wanted to, I could write a program that relied on some other company's shared library, and I could sell tht program (and yes, distribute it). As long as I don't include the copyrighted library itself then copyright won't restrict me from doing that. However, with GPL, RMS's hope is that people are not allowed to create non-GPL programs that "depend upon" GPL code, even through dynamic linking.
To give an example: it would be legal for me to create a non-GPL Macintosh emulator that required you to get your own Mac ROM files. The Mac ROMs are copyrighted, but it's okay (IANAL, but I'm fairly certain this is the case) for me to create software that depends on that copyrighted code, provided I don't go and give people that copyrighted code.
If the Mac ROMs were under GPL though, I wouldn't be allowed to distribute a non-GPL emulator. My emulator would clearly be dependant upon the Mac ROMs, and the GPL states that in such a situation it had better be GPL too if I want to distribute it. Whether that would actually hold up in court, I don't know. But RMS's intent is obvious, and he's stated it publicly many times.
You're just bitching because its not giving you the rights you want.
I think you're confusing independent thought with bitching. I have no problem with the restrictions GPL places. I'm working on some code right now that I plan on releasing under GPL. Does that mean I agree with all of RMS's philosophies? No. I think content creators should get to name their price. If they want to give it away free, fine. If they want to get a million dollars, fine. If they want you to give away your source, fine. You don't like the price? Don't use the code. I write proprietary software too. That's how I pay the rent. I don't get donations like RMS.
That said, I do have serious doubts about the dynamic linking restriction being legally enforceable, but I don't care much either way in this situation. It would set a rather nasty precedent, but as far as GPL goes, I have no intention of writing non GPLed code that dynamically links with GPLed code. That restriction (real, or only intended) is one that normal copyrighted code doesn't have though.
Now the FBI is looking for you Anonymous Coward and since you post comments to slashdot too many times a day they probably already know who are you.
Note that that strategy of posting your comments from different IP addresses every time is not helping you any more to remain anonymous.
--
> So why do we need this information? Simple:
> without this information it's impossible to
> modify Samba to allow Kerberos authentication
> (and encryption?) of remote shares.
Actually this is not correct at all. Samba really doesn't need this information to do authentication or encryption from a Win2k client, as the Win2k client is kerb5 standards complient enough to allow this to work perfectly (once the code is added to Samba).
It *would be* needed, however, to create a Win2k client compatible PDC, and it would also help if Samba used the extra SID information to do access control (map these SIDs into UNIX groups and do a setgroups() call from the smbd) if the Samba server were a member of a Win2k domain and was getting the user/group information from the Win2k PDC (either via LDAP or the new winbind daemon code). It's not even completely neccessary for the latter case, as we can get the same information by doing MS-RPC queries to a DC, it's just more efficient to pull the info out of the PAC.
This spec is needed to add the PAC format to MIT kerb5 kdc's and heimdal kdc's, not for Samba.
Hope that clears things up.
Regards,
Jeremy Allison,
Samba Team.
> You may not value intelletual property but MS,
> Xerox, and many other companies do.
This isn't intellectual property, it's a land grab on a previously open spec.
> Don't force your Open Source Religion on
> everybody else
But I don't want your code ! I want *OPEN* specs, implementable by anyone. That's how the internet got built.
> Where's the problem?
The problem is you are using your client desktop monopoly to attempt to gain a server monopoly. This is why you're being broken up. This is why you're being taken to court in the EU, this is *NOT LEGAL*. That's the problem.
Regards,
Jeremy Allison,
Samba Team.
1. Record the whole reverse engineering process on video to use as proof of actually rev.eng'ing, not following specs in court.
2. Publishing a "trade secret" obviously isn't "reasonable effort to protect", is it? Even with oxymoronish "by reading this..." comments.
3. Read the spec and explain it in your own words elsewhere. Someone else follows
4. Do it the Professional way (IBM, #118).
Now if we only had enough interested developers to form four groups to make independent patches/modules for Samba.
Better yet, IMHO IETF really should use the reserved bit differently in a new version, rendering MS "trade secret" inoperable. They just deserve it.
Anything I didn't answer (or copy) yet, eh?
I think, therefore thoughts exist. Ego is just an impression.
IANAL, but part of the laws regulating trade secrets presumes that you are taking reasonable measures to prevent the public release of the secret. Posting a "trade secret" to a website for the general public to access could very easily invalidate any future claims to trade secret status.
An analogous situation would be if Bill Gates, staggering around drunk in Central Park, walked up to each of several thousand people and offered to tell them Microsoft trade secrets if they "promise not to tell". While there are no doubt judges that would let this crap slip by, I think it is likely that the vast majority of appellate courts would laugh loud and long at this. Secrets are secrets because they are, well, secret. They are not secret because Bill Gates distributes them to a billion-plus people and says "Shhhhhh".
Proud member of the Weirdo-American community.
On the other hand, what's the big deal? If no one uses Microsoft's extensions, it's a non-issue.
Stupid people will be persecuted to the fullest extent allowed by law.
again, IANAL.
The idea that Microsoft could take the Samba team to court is both plausable yet sickening. Aren't they presumed innocent until proven otherwise? And how would it look for their PR? "Samba team taken to court over implementation of 'open' specification"
The scary part is, it wouldn't surprise me.
Ita erat quando hic adveni.
Not necessary to give it out; just rewrite a description of the protocols in your own words.
That doesn't violate copyright, and since it's a trade secret they can't patent it, so it'd be perfectly legal.
Microsoft screwed up.
--
I think it's clear that Microsoft has been deliberately, willfully engaged in criminal behavior for their entire existence.
Not punishing them because the acts were performed by a corporation instead of a person is rubbish; they were performed by people, just as much as more horrible crimes in the 1930s and 1940 were performed by German soldiers, not by Germany.
To not punish Microsoft for it's crimes, based on the idea that they won't commit them any more, would be like not jailing Ted Kaczynski because he hasn't blown anybody up lately.
The Microsoft executives responsible for this debacle, including Bill Gates and Steve Ballmer, should be jailed for a long time and have all of their personal assets that derive from Microsoft seized and placed up for auction.
Microsoft itself should be dissolved, all assets sold, and the proceeds divided among everyone who has ever bought or sold a copy of a Microsoft software product.
The domain "microsoft.com" should be given to the Electronic Frontier Foundation, with them directed to operate a web server at that address with all the relevant court documents displayed there for all time.
They should be directed to place the source code for all of their products under GPL immediately, and reassign the copyrights to Richard Stallman.
Oh; and Gates should be delivered to the jail wearing lipstick and a miniskirt.
--
That's what MS is up to. They're offering you the recipie so that they can advertise (falsely) "lemon pie, with recipie".
It's bypassing the click-thru that's important. Having the license printed on every page may seem intimidating, but consider what would happen if you were to print it out and "loose" the printout. Whoever found it would most certainly not be bound by the license - hell, maybe they don't read English, or maybe they're a minor and legally unable to enter into this kind of agreement.
In short, MS doesn't really have a legal leg to stand on. What they do have, however, is an excuse to drag whoever they want (Samba team, anyone?) into court and sue them into bankruptcy. They don't even have to win, just have enough cash - which they do - to be able to pay their lawyers longer than you can pay yours.
"Great men are not always wise: neither do the aged understand judgement." Job 32:9
1 - Lot's of people that they've done nothing wrong when in fact, in the eyes of the law, they have. Not that I'm defending them here, but it is completely plausible that one could err and still believe they did what was right.
:) All they seem to do is sit back and wait for a good idea to spring out of silicon valley, buy the company or destroy the company, and reimplement that technology in windows or office.
2 - I think that Microsoft did indeed help the industry. They provided a low-cost common platform for people to develop applications for. Sure they bought it from QDOS or whatever, but if they hadn't would the people who had QDOS had thought to call IBM up and say "hey... i've got this operating system?" Doubtfully. It's not like Microsoft made it so that the Unixes broke apart in every direction in the publics perspective.
3 - People DO love him. Microsoft, up until the past few weeks, was one of the surest picks for year over year growth, profits, etc... Look at where $1000 invested in Microsoft 15 years ago would be today. Compare that with Apple, Novell, IBM, etc... For that reason, investment managers do love the company and him, since upuntil recently he ran it.
4 - No argument from me here
Why don't they just read the stuff and write a SAMBA client thats "closed" source, and release it with no restrictions. That way the only way MS could know if they were violating the copyright would be if they themselves hacked the program to see what it does.
... but remember, I'm no lawyer.
Uh, how do you figure M$ is irrelevant? 89% some percent of people still use their OS on their personal computers and they make billions of dollars a year. I haven't seen them lose any developers. As a matter of fact a company around here just signed a juicy deal with M$ to provide them with biometric reading software thats going to be in the next couple versions of Windows.
I'm a loner Dottie, a Rebel.
Isn't it? What is the difference between a PDF files -- a stream of 1s and 0s which, when interpreted by a certain computer program, causes a particular action (i.e., a display of text) -- and a source code file
Well, the manifestation of the bits isn't what we're talking about, but rather the words, the arrangements of letters and idea that the PDF contains, is what is protected without question, because those words (whether represented as bits, as ink, or as stone carvings) are a "creative expression".
So to answer your question, the copyright status of the content wouldn't be affected by how it is stored (whether it's a PDF or a batch file that prints it to the screen). The words that are represented are protected. Whether or not the program that generates those words has a separate protection under [copyright|patent] is where the gray area and debate is.
Recursive: Adj. See Recursive.
I guess Windows 386 (1987) was a figment of my imagination.
Nope, it was real. It just didn't do multitasking (task switching at best), and MS didn't have a multitasking OS until OS/2-WinNT in the 90's. Didn't have a multitasking consumer OS until win95 (arguably) or Win98.
Recursive: Adj. See Recursive.
I'm sure the anonymous coward who posted the contents of the contents of Microsoft's PAC specification here thought he was doing the world a favor and sticking it to the Evil Empire in the process. But the truth is that what the poster has done is illegal in the US thanks to the DMCA, whether we like it or not. Moreover, making the contents of the file widely available in this manner threatens to taint the efforts of those who need to get this information legally!
The Samba team, and others who want Kerberos compatibility with Microsoft's PAC bastardization, need to come by this information legitimately -- either by reverse-engineering it, or by twisting MS's arm until they start behaving themselves and release the information openly. If anyone uses the above code to implement Win2k compatibility, Microsoft can take them to court for using stolen trade secrets.
Even if the Samba team *doesn't* use this information, if it becomes widely available then it becomes very difficult to prove that those who did the reverse-engineering didn't read Microsoft's document... in which case Microsoft can still take people to court for it and keep them there for a very long time because of the difficulty of proving guilt or innocence. The last thing we want is for future Samba development to be caught up in a legal gray area for years on
end.
And don't be too sure that Microsoft wouldn't take the Samba team to court for something like that, even if they knew the Samba team was innocent. They're playing dirty here, milking the gullibility of the US legislature for all it's worth. Microsoft promised open documentation, and instead they've given us a legal boobytrap. Please, let's not play into their hands.
Glad that they did this? Not really. It's a strategic move on their part designed to make them look like good guys (look, we're publishing a spec! We're open!), when in fact what they've given us is completely useless to the Community (unless you really /prefer/ to use Microsoft's server products and are only interested in making them more secure). It's worse that useless, really: anyone who touches the documentation MS has put out can wind up in legal trouble with Microsoft if they later work on any project involving the reverse-engineering and reimplementation of the PAC.
So thanks, Microsoft, but no thanks.
What? You mean you used that nefarious program WinZip to circumvent a content encryption scheme put in place to both protect copyright AND trade secrets? That's it! Under the DMCA all traces of WinZip must now be removed from the Internet! Anyone caught using WinZip from now on will have seven grades of shite kicked out of him/her by large men wearing big boots, sent round to your house by the MPAA.
;-)
--
The gift of death metal does not smile on the good looking.
---
This sig has been temporarily disconnected or is no longer in service
Given this fact, I wouldn't be surprised if this spec describes some small detail which is NOT present in the behavior of Win2K.
If your implementation exhibits this behavior it'll be fairly obvious that you used the spec rather than properly reverse engineering the protocol. This should be enough to destroy you in court.
/* The beatings will continue until morale improves. */
It is a violation of the author's copyright to electronically distribute the Microsoft document without permission (even though they posted it on the web), or to make physical copies without permission. I personally find it silly to post technical specifications without granting the reader the right to make copies (i.e. print it out and make copies of that printout), but the decision as to making copies is up to the author.
It is legal to distribute the "concept" (i.e. information content) contained in an artistic expression as long as it is rephrased (i.e. not an exact copy or derivative work). There are three exceptions to this:
So, like Metallica's songs, your post on /., and the book War of the Worlds, that PDF document is copyrighted. It is illegal to distribute it against the copyright holder's (MS) wishes. Whether it is legal to redistribute the information content (the spec.) without using the verbatim text is a separate question over which copyright law does not preside.
magic
> What you can do is tell all your friends about what Microsoft is doing, especially those folks who work in I/T departments. Get them to understand why accepting a Windows 2000 deployment isn't in their company's long-term interest
What amazes me is that any company would still do any business with Microsoft at all after the Halloween Documents, with their unabashed recommendation of decommoditizing protocols as a technical solution to Microsoft's marketing problem.
When your vendor says "Sorry, but it's easier to compete in the marketplace by fucking you than to compete by producing a better product at a better price", then it is time to find another vendor.
It amazes me that they've sold a single box since that bald suggestion was publicized. Let alone now that evidence of them actually using the suggestion has been revealed to the larger public.
--
Sheesh, evil *and* a jerk. -- Jade
> About 10 years vefore MS got around to it...
Innovation isn't the kind of thing you want to rush.
--
Sheesh, evil *and* a jerk. -- Jade
Here's another one to Ponder: As I write this, does /. have editorial control over what I write? Or are they just a distribution channel for my comments published by me (by the very act of typing this in and pressing the submit button). I would venture that /. is a distributor and therefore not subject to responsibility for content in the same way Amazon.com is not responsible for the content of the material contained w/in the text of their product.
Fair use applies to straight copyright law. Contracts and EULAs can add additional rights. Remember, 'fair use' doesn't equate to 'you think it's fair'.
Also, copyright law does not 'grant' you rights, it grants rights TO THE COPYRIGHT HOLDER. It gives them the power to license it to you under their own terms and conditions.
Uhh..
how is that news?
They are the 'first' to offer kerberos v5 native in windows 2000? Who ELSE would be offering it as native in windows 2000?
Even if this is the case.. if someone can show that anyone can just go fill out the form and get it.. can they still claim it to be trade secret?
Or is this their way of saying 'see.. we're open about everything! we're not trying to hijack the protocol! OH! but if you try to build something using our proprietary extensions, we'll fuck you over'
IANAL... but...
I've had to deal with Trade Secerets a fair amount of time.
My understanding is that in order for a piece of information to maintain the classification then:
1) I need to agree to keep the secret
2) The information needs to be transmitted in writing (I'm assuming electronic form is considered writing) and
3) At the bottom of each page should be a notice that this information is a Trade Secret.
I believe (perhaps an IP Lawyer out there can verify) that unless those conditions are met, the information is not considered a Trade Secret.
(ie. if someone gives you some documents and then later comes along and tells you, 'oh, and this is a trade secret' you don't have to follow their wishes)
If this weren't the case then you wouldn't have to sign an NDA, they could just give you the document with the license 'printed on page 10 and 11'.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
"...equal to asking you to sign..."
Ah, but they're only asking. You don't have to sign anything you don't want to, being of sound mind and free will. I make it a practice to read everything I put my name and/or signature to. If I don't like or don't understand it, I don't sign it. Simple as that.
Bothersome - people here imply that Microsoft is "tricking" people, that Microsoft is "forcing" them into an unagreeable license. But they're the ones who downloaded Microsoft's intellectual property and begat themselves of its wonders, and 9/10 of them knew there was a license attached to what they were reading.
Seems to me the fools here are the ones who read the license, understood what it meant, didn't like it, and went ahead and clicked OK anyways. Stop all this talk of being forced to do things - you're not all helpless sheep victim to any passing breeze. You're human beings with rational minds and the ability to make decisions based on your judgement.
And if you are a sheep, well, that's just the way you are, but if you *know* you're a sheep you shouldn't be going around clicking OK to things you don't understand.
OK! I know flamebait when I see it. It's late.
Nebulo
IANAL, but I think that a trade secret can be legally protected if reasonable steps were taken to protect it.
I seriously doubt that posting it to the Net would count as a reasonable step to protect the secret. Either way I'm not touching W2K (and it's not touching any of my company's computers) until it can play nice.
--
+&x
You're right; it isn't legal. But people think it's legal. And the relevant laws can be made to sound mumble-jumble enough that it only takes several million dollars worth of legal talent to convince a dozen of our peers that it is legal.
--The basis of all love is respect
I am not 'the Slashdot crowd', I am me and speak only for myself. Sometimes not even that.
Actually, the GPL violations in China do not interest me much either - anyone there who really wants the sources could probable get them anyway.
Mielipiteet omiani - Opinions personal, facts suspect.
It's "Cerberus". "Cerebus" is an aardvark.
I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.
.exe file if another alternative existed, in this case WinZip is that alternative.
.exe, I ALWAYS try to open it with WinZip first, it just makes good security sense don't ya think? Why run an .exe when you can use WinZip to do the same thing without putting your system at risk?
.exe with BO2K and show WHY using WinZip is the best option to start with.
Actually it can be argued that any security conscious user would NEVER double click on an
I know that personally, when I get a self extracting
All it would take to convince a judge of this would be to infect the same
However, just because there was no license agreement doesn't mean the document is in the public domain. There's a difference between software licensing (which is contract law) and public domain (which is copyright law). Microsoft is effectively acting like a newspaper or a radio station here - they are publishing something to a lot of people, but that doesn't give their audience distribution rights as well. Try making photocopies of the New York Times and selling them for half price, and see how far you get. Or better yet, try rebroadcasting a major sporting event in your bar :)
Difference: NYT and TV broadcasts are copyrighted, this MS document, I've been told, is supposed to be a trade secret. If they claim its a trade secret they cannot copyright it. Since I am not under any license (as I did not see one, or agreed to one) about it being a trade secret, then I am an "innocent", and it is now public domain.
-- iCEBaLM
I wouldn't do that. It's still copyrighted, and if you are associated with any group that "reverse engineers" the specs, whatever prodcut you create could get tied up in court for a long time. Distributing MS's copyrighted info could also get you into legal hot water.
:)
MS puts it on their page for everyone to DL, there was no agreement that I saw that said I couldn't give it out to anyone else, it's public domain.
I'm not associated with any such group, I'm just your average joe schmo who uses winzip instead of running self extracting archives for fear of viruses.
-- iCEBaLM
>This is Microsoft's new OS.
Didn't see that in the download - just a variant on a network auth protocol... which you 'are not allowed to implement', so they certainly don't want anybody else playing in their sandbox...
"It's tough to be bilingual when you get hit in the head."
However, there is a short license agreement at the bottom of every page and the full agreement on pages 11 and 12.
So, I guess that my winzip idea is worthless...
Plenty of projects, not enough developers...
Trade secrets can't be copyrighted. Consult a lawyer instead of playing one on
A couple posts have suggested that the only reason anyone would care about the contents of the document is so they can create their own competing implementation.
That's *not* the case - the MIT and Heimdal Kerberos implementations work quite nicely under Linux, come bundled with RH 6.2 (and my unofficial Debian packages) and Debian 2.2/non-US, respectively, and include all you need for a fully-functional Kerberos network. I know; my BAN uses MIT Kerberos for most of the network services.
MIT Kerberos (at least) even compiles under Windows platforms. This allows you to use Kerberos with W9x boxes.
So why do we need this information? Simple: without this information it's impossible to modify Samba to allow Kerberos authentication (and encryption?) of remote shares. I'm sure I'm not the only person who is breathlessly awaiting the MS spin that "Samba may be faster, but it's not as secure as 'real' W2K servers!".
Meanwhile, I'm breathlessly awaiting Kerberos-enhanced NFS. (slobber). It would eliminate a *lot* of problems (while introducing a slew of new ones). In the meanwhile we still have AFS and CODA (which solves a different problem).
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
However, suppose fifty people were to download it without agreeing to the licence (I just have, from http://warot.com/freedom/kerbspec.pdf), and each quoted just one paragraph on their web site (copyright law allows for the fair-use quoting of small parts of a document), and then suppose someone else later came along independently and made a Web page which linked to all those single paragraph Web pages, what law would have been broken?
As an example of what I mean, I have posted an example paragraph here
I'm old enough to remember when discussions on Slashdot were well informed.
Remember that the Digital Millenium Copyright Act has force of law in only one of the over two hundred countries in the world, and, as it happens, not all the Samba developers live there.
I'm old enough to remember when discussions on Slashdot were well informed.
Yeah, MS's dedication to certain standards is pretty impressive...
/. article and came to the link "beat up in the press," I was amused to see that the press doing the beating was LinuxWorld. That's one step away from saying "after MS was beat up in /. discussion boards."
When I read the
You'd think that with a statement like that, "the press" would have referred to something a little more... mainstream. Of COURSE a Linux mag is going to beat up on Microsoft.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
On the other hand, they have asserted copyright on the contents of the
document, and have taken `effective measures' (in the language of the
DMCA) to restrict access to it. So isn't the kind of measure you
propose infringement of the DMCA?
Charles
not in europe, where it is specifically allowed to reverse engineer for interoperability, ie reading a document through a different reader, cos none is available for your OS.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
I wonder if it isn't possible to release an extension to the Kerberos Standard that 'accidentally' works with windows servers/clients.
There is another thing that bothers me here: MS has put his trade secret in the open, so if they want to take someone publicizing part of it to court couldn't it be argued, that since they didn't take any means to protect their 'trade secret' the legalese obviously weren't worth the bits they were encoded with. And since MS is encouraging criminal acts here, can't they be sued for that?
At least the information where to find the MS extended Protocol (i.e. the link) and maybe even the file 'kerbspec.exe' can be distributed freely (hey i just downloaded it, i didn't even execute it so i didn't agree to anything)
And since it's impractical for unix users to extract the file on a dos box maybe someone could come up with an extractor.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Scenario:
* Microsoft releases this document, with these trade secret and copyright claims and "technical means" to enforce them.
* Somebody posts the text. (Already done.)
* The Samba developers implement a compatable upgrade.
* Microsoft sues the Samba developers, alleging both trade secret violations and violation of the DCMA. (This would make them felons...)
* The court case is the Samba developers aided by the volunteers of the Free Software Movement versus the lawyers of the Richest Man in the World and the Big Company that made him all that money (and has even more).
Regardless of the outcome it's a BIG load on the Samba developers, and probably takes them down as far as spending time competing with Microsoft is concerned.
Note that this works for Microsoft even if the Samba developers stay strictly clear of the leaked "trade secret", working strictly by reverse engineering!
So Microsoft has put a spike in Samba's wheels. Kiss any future upgrades goodbye.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Open the .exe you downloaded onto a Windoze machine with Winzip...extracts the file automatically. No pop-up, no muss no fuss.
I am a law student and do not pretend to be qualified to give legal advice, but I think that the above posts which reveal the "secret" eliminate any basis for Microsoft to call this a trade secret. Once it is in the public, it is not a trade secret.
It's not that simple. If the trade secret is publicized via an "improper" means, then it's still protected under trade secret laws. So not only is the poster liable for breaching the contract, but all copies that came from that tainted source are still considered under trade secret protection.
It's on that basis that the MPAA is claiming trade secret protections for the CSS code (at least for one of their lawsuits). Their claim is that the disassembly took place in a country that doesn't have an explicit allowance for reverse engineering for interoperability purposes, and that the person couldn't have obtained a copy of the DLL without agreeing to a clickthrough license which prohibited reverse engineering. Ergo, the source of the CSS code was tainted, and therefore CSS is still a trade secret, even though it's been posted on thousands and thousands of sites.
This may sound strange, but it's how the law works. Now, if someone could prove that they came by the information via a legitimate means that didn't involve the potentially tainted CSS source, then that would be an absolute defense. But given that the CSS code has been spread far and wide, it actually makes it harder for someone to prove that their reverse engineering was actually done "cleanly".
The GPL lets you make derivative works based on a shared library. It just doesn't let you DISTRIBUTE those derivative works.
Just like I might make a picture and say ``its free for you to use on webpages, but you can't sell t-shirts with it.'', the GPL is the same way.
That's not taking away any rights you otherwise might have had. You're just bitching because its not giving you the rights you want.
Scott
There's two parts to this:
First, the information in their file is a trade secret. If they give it to you in a fashion whereby you can distribut it, the information is no longer trade secret. (Much like if Microsoft accidently some internal API docs, they can't claim trade secret protections.)
Since that keeps us from being under contract, we aren't obliged to keep the material confidential.
But!! There's a second part to this. While the information on it may no longer be confidential, the document itself is copyrighted. So while you do have the right to start sending the information within the document out to the world, I don't see where you have a right to send the document itself out into the world.
Rewrite the document into your own words, then you can make your version public domain. You cannot make Microsoft's version public domain as they have not assigned you the copyright.
IANAL (of course)
If that silly text bothers you, check out this copy. It doesn't have the license...
Say no to software patents.
Judje: The normal procedure for viewing this document is running the executable and clicking the "Ok" button on the click-through agreement. So why didn't you do just that?
Defendant: Your honor, I was advised to never, ever run a program downloaded from an untrusted source.
--
Industrial space for lease in Flatlandia.
I guess it's time to find my 11 year old cousin in China and have him download the file, copy the spec, and email it back to me.
Seriously, when a number of people have taken the spec, posted it everywhere on the internet, and the secret is out, what's going to stop the spec from being included in Samba?
There was a very interesting article (it isn't published online yet, but was linked to this coverstory) in the German computer magazine C'T a few weeks ago, about the legal implications of pressing a "I agree" button etc. The conclusion was, roughly, that there aren't any! I'd find this interesting. In the same article, btw, it is suggested that written disclaimers don't matter either, since a customer isn't required to sign them..
Anyway, this too is the freedom of Open Source - anyone could start an (illegal) fork of Samba which makes use of these "trade secrets"..
You coudl get a chinese team to implement it. The implementation would no doubt be illegal in the US. Much like just about every popular MP3 encoder out there. RedHat and other dists would not be able to include the implementation and it would probably never be hosted on US servers. Much like every popular MP3 encoder out there. Would that stop anyone from using it? No doubt no more than every popular MP3 encoder out there.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I advise you to consult with your lawyer first before pursuing the above course of action.
You may not read this post unless you agree to pay me 1 billion dollars and give me your first born son's left nut.
Is this valid? No? Then neither is MS's "you must agree before you read" clause.
--------------------------
If you read any of the text below following this Sentence you are agreeing to its Contents and will comply promptly, failing to do so is a Federal Offence and will be procecuted to the Maximum Extent of the Laws, including UCITA and DMCA, so DO NOT read the rest of this document if you disagree or are unsure of its contents:
You (The Reader) hereby agree to read the rest of this Document, comprehend it and comply with it fully and promptly.
--------------------------
YOU HAVE AGREED TO THE TERMS OF THIS DOCUMENT.
This Document is copyright and a trade secret of Evil Corp (The Company). By reading this you have willingly purchased to view the full text of this Document for $5.000, and must send an equal amount of money to the following billing address, in a secure way:
Evil Corp Inc
Elmstreet 666
US
You may NOT reverse-engineer or disclose any parts of this Document including the first Sentence, to anyone, since the full Document is a copyrighted trade secret of Evil Corp. Evil Corp reserves ALL rights of use and distribution of this document. In addition you must refrain from discussing this Document and its implications openly to ANYONE or ANYTHING. You have also agreed to not sue or press legal charges against Evil Corp for anything EVER. Evil Corp does not claim any usability of this Document and is therefore not responsible for any misuse or anything. Evil Corp is a legal entity, protecting its employees and owners.
YOU HAVE AGREED TO THE TERMS OF THIS DOCUMENT.
--------------------------
Send some money folks!
- Steeltoe
* ERA = End-Reader-Agreement
http://www.debunkingskeptics.com/
Isn't there some kind of law against this?
.sig
We're getting whacked by big companies that uses their large legal departements to FUD the users of alternate products.
There should be something to protect us from these kind of things. Are you really allowed to make changes to a open standard and refuse to disclose it?
Maybe we should start slapping a GPL like license to standards? Something that goes like this: "Any standard that is a derivative of this standard MUST use the foo license". That would keep the nice and open standards open forever.
Note that these are my personal opinions, they are just as faulty as anyone elses.
Are you sure about this? Microsoft was using a click-through non-disclosure. GPL does NOT use click-through, and the GPL is NOT a non-disclosure agreement. Code released under GPL is copyrighted, and you are granted a license to use it only under the terms of the GPL. This is a slightly different matter: without regard to copyright, Microsoft sleazily released this with a click-through non-disclosure. If you never get a chance to click through, you haven't agreed to the non-disclosure. There is still the issue of copyright. "Not covered by non-disclosure" is not the same as "public domain", as another poster mentioned. It seems that, having avoided the non-disclosure agreement, it would be acceptable to summarize/implement/report/etc the contents, but not acceptable to publish them verbatim in any country with copyright laws. Get busy, overseas!
See what I've been reading.
, by opening it under emacs. There is some boilerplate by Verisign, and not much else that's easily readable. I expect that there'll be a mirror for the plaintext somewhere in a few days (hint, hint... get busy, overseas!). I can't do much with it easily, I'm on AIX.
I agree, there isn't any charitable explaination for this, but it's hard to explain any other way, either. Are they doing this so that when it is spread around they can say "look what happens when we try to be open... we'll never do that again!"?
Perhaps the best reply to this is to declare that any program which will interact with microsoft is broken... don't let them on your system.
See what I've been reading.
If it is that easy to obtain the 'trade secret' without making any agreements, then I hardly consider it much of a secret.
How many people have mirrored this file so far?
Can I get it on a T-Shirt yet?
Don't forget how much more evil Micros~1 is compared to the DVD industry, lets see some action taken!
Tyranny = Government choosing how much power to give the people.
IMHO, they should just ignore W2K. If people ask why, point to the incompatible license, this stupid "trade-secret" and blame MS. Make MS look bad, just like how winmodems were made to look lame. Watch W2K die.
But then I could just be dreaming.
What use is all this if you can't use it or implement it? Why did they bother printing this out?
What they document in this pdf is false! When the Samba team "reverse engineers" this into Samba 2.0.9 or whatever, Microsoft will sue their ass off, pointing out the poison code, and here's the kicker - its all bullshit. So now you have a Samba team in jail, and a version of Samba that still doesn't work with MS-CIFS !
Read the halloween documents again, and tell me I'm wrong.
Lars -
Got it?
Disclosure of APIs, Interfaces and Technical Information.
Microsoft shall disclose to ISVs, IHVs, and OEMs in a Timely Manner, in whatever media Microsoft disseminates such information to its own personnel, all APIs, Technical Information and Communications Interfaces that Microsoft employs to enable--
- i. Microsoft applications to interoperate with Microsoft Platform Software installed on the same Personal Computer, or
- ii. a Microsoft Middleware Product to interoperate with Windows Operating System software (or Middleware distributed with such Operating System) installed on the same Personal Computer, or
- iii. any Microsoft software installed on one computer (including but not limited to server Operating Systems and operating systems for handheld devices) to interoperate with a Windows Operating System (or Middleware distributed with such Operating System) installed on a Personal Computer.
To facilitate compliance, and monitoring of compliance, with the foregoing, Microsoft shall create a secure facility where qualified representatives of OEMs, ISVs, and IHVs shall be permitted to study, interrogate and interact with relevant and necessary portions of the source code and any related documentation of Microsoft Platform Software for the sole purpose of enabling their products to interoperate effectively with Microsoft Platform Software (including exercising any of the options in section 3.a.iii).Note that this doesn't specifically require Microsoft to put all those documents on the Web. If you agree that Microsoft should be required to do so, write to the Justice Department at Microsoft.atr@usdoj.gov and ask that they require that in the final remedy.
But the difference is that in either case, you would not be able to re-distribute the document. Copyright law still applies, even though the license does not. In the case of GPL'd software, you can still read the source code and write an entirely new implementation of it, or compile and use the software without agreeing to the license. You would not be able to redistributed it however. The same would be true for the specification, you can not make a copy of it, but you certainly can read it, at least until UCTIA becomes law and says otherwise.
On the other hand, might the extraction of the .pdf from the .exe be considered "copying" it?
And another thing, wouldn't that make WinZip an illegal encryption bypassing device under DMCA?
IANAL, NDIPOOTV
This all depends...
If Microsoft used Kerberos code from MIT (which is distributed under a BSD-style license) then they must say that it is based on Kerberos. To not do so, would be in violation of the license.
However,
This is not necessarily the case for original code written to comply with an IETF standard (look at IIS, based on several RFCs, but not a derivitive work). If Microsoft wrote their own Kerberos code from scratch, but claims that it is compatible with the IETF Specification, that may be breaking some rules.
By the way, IANAL. If there are any lawyers reading this, please correct any errors I have made.
-------
Oh shit! I forgot to click "Post Anonymously"...
It seems to me that the point of Microsoft releasing this spec is not so others can implement thier own versions. They are releasing the spec in order that security experts can review it as well as third-parties can take advantage of interacting with it in Win2000.
This is in no way a step towards opening it up for open-source contribution.
Think about it...even if M$ is broken up, one of those companies will be ther operating system group, and that group will be interested in getting good reviews from security experts and third party integration. It's pretty much the way Microsoft has built its empire from the beginning: giving and collabarating with a heavy advantage.
What do you expect? This is big business. This is Microsoft's new OS. Do you really think they would open it up?
Microsoft is not built on the foundation of open-source, and like any pure software company, will not lose money to increase collabaration unless the customers demanded it in such a way that Microsoft gains revenue.
I need a TiVo for my car. Pause live traffic now.
Just in case anyone who doesn't have Windows wants this...
p ec.pdf
http://www.angelfire.com/boybands/billgates/kerbs
love,
br4dh4x0r
IIRC there is another part about trade secrets which in essence I take to mean that you do not have to use any more measures than the original company took. In this instance since they are not using a secure server, it is about the same as taking a hardcopy of it and leaving it on a park bench somewhere.
Also quoth the poster:
Agreed. Of course, that doesn't prove that the courts aren't laboring under a misconception. Digital data changes everything -- all creative works expressed as digital data are essentially simply numbers and numbers, being concepts, cannot be copyrighted.But I'm just philosophizing. Like everyone else on slashdot, IANAL.
The Mongrel Dogs Who Teach
I am willing to give MS the benefit of the doubt on a lot of issues. I have just recemtly started devloping in the MS SDK--coming from a POSIX-ish background of Sun. I have a theory about why their business practices are the way they are. Microsoft has never had a good, original idea, principle, or product (except, maybe Excel). So, Microsoft must adapt other ideas to fit their operating system. Since there are still DOS v1 and v2 commands still floating around in the SDK, it appears that this has been happening for a long time. Because of all the horrendous assumptions they made years ago (ie, Who will ever need more RAM than 640k), they have poorly fit standard and necessary operating system functions into their SDK (for a good example of this, look at hooks). And since their assumptions in the beginning were never fixed, just poorly patched and modifications were made to work around them, certain things that should be taken for granted in a real operating system cannot be. (Look at file locking and you'll see what I mean) So, rather than fix the os, they have to mangle existing standards so that they will fit with the 2-bit SDK MS has. Therefore, it isn't the business end of MS driving the idiocy, but the idiocy of the "imagineers" at MS driving the business principles. So the blame shouldn't be on the business dealings of MS for they have done an amazing job of hyping a flawed product. Rather, it should be that the managers and other "imagineers" at MS who make decisions about os implementation take the blame for the corruption of standards. QED: Bill Gates built his empire on faulty assumptions.
How do I remove a slashdot article which I have to destroy since I cannot read it - damn those disclaimers.
In the PDF, it says that viewing it means you agreed to the license... reproduced at the end.
-- LoonXTall
~~~LXT~~~
Life is like a computer program: anything that can't happen, will.
If M$ has such brilliant lawyers who draw up such amazing licensing documents, then i wonder how M$ could lose the court room battles.... :-)
life is a disease
If I say -- had confidential dealings with M$ and wanted to say sue them for possible breach of similiar language. Can their precident be leveraged for their obvious apparent lack of security (less then even a simple ID password registration script required for their support pages) in favor of us little guys? If they treat their confidential stuff in a shoddy way there is no guarentee they have treated mine better -- If anything any one want to see if it can leverage their contract's enforcement clauses? Regards,
Indeed MS has maintained interoperatbility. There were vendor defined fields where MS added extra information to make the delegation work between multiple W2K domains. Kerberos hasn't been tarnished by this and MS extended an olive branch by showing what they stuffed in the vendor-defined fields. Of course the /. folks go silly over a boilerplate licensing agreement rather than looking at the issue itself. Vendor defined fields can be a good thing if a standard does not have to be too tightly defined. Don't get upset folks. Your Kerberos network still works. I don't want to say who I am but I'm "in the know"
Microsoft Authorization Data Specification v. 1.0s .] PGROUP_MEMBERSHIP ResourceGroupIds;] ULONG SubAuthority[*]; ::= SEQUENCE {
for Microsoft Windows 2000 Operating Systems
April, 2000
) 2000 Microsoft Corporation.
All rights reserved.
Microsoft Confidential
Please review this Specification copy only if you licensed and downloaded it from Microsoft
Corporations website; if you did not, please destroy this copy, but you are welcome to license the
Specification at http://www.microsoft.com/technet/security/kerbero
If you are an authorized licensee, when you downloaded the following Specification, you agreed
to the Agreement for Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000
Operating Systems (the "Agreement"). For your future reference, that Agreement is reproduced at
the end of this document.
Abstract
Microsoft Windows 2000 includes OS specific data in the Kerberos V5 authorization data field that is
used for authorization as described in the Kerberos revisions Internet Draft [1]. This data is used for
user logon and to create an access token. The access token is used by the system to enforce
access checking when attempting to reference objects. This document describes the structure of
the Windows 2000 specific authorization data that is carried in that field.
Top-Level PAC Structure
The PAC is generated by the KDC under the following conditions:
during an AS request that has been validated with pre-authentication
during a TGS request when the client has no PAC and the target is a service in the domain or a
ticket granting service (referral ticket).
The PAC itself is included in the IF-RELEVANT (ID 1) portion of the authorization data in a ticket.
Within the IF-RELEVANT portion, it is encoded as a KERB_AUTH_DATA_PAC with ID 128.
The PAC is defined as a C data type, with integers encoded in little-endian order. The PAC itself is
made up of several layers. The outer structure, contained directly in the authorization data, is as
follows. The top-level structure is the PACTYPE structure:
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
ULONG cBuffers;
ULONG Version;
PAC_INFO_BUFFER Buffers[1];
} PACTYPE;
The fields are defined as follows:
cBuffers - contains the number of entries in the array Buffers
Version - this is version zero
Buffers - contains a conformant array of PAC_INFO_BUFFER structures
The PAC_INFO_BUFFER structure contains information about each piece of the PAC:
typedef struct _PAC_INFO_BUFFER {
ULONG ulType;
ULONG cbBufferSize;
ULONG64 Offset;
} PAC_INFO_BUFFER;
Type fields are defined as follows:
ulType - contains the type of data contained in this buffer. For Windows 2000, it may be one of the
following, which are explained further below:
#define PAC_LOGON_INFO 1
#define PAC_CREDENTIAL_TYPE 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10
Offset - contains the offset to the beginning of the data, in bytes, from the beginning of the
PACTYPE structure. The data offset must by a multiple of 8. If the data pointed to by this field is
complex, the data is typically NDR encoded. If the data is simple (indicating it includes no pointer
types or complex structures) it is a little-endian format data structure.
PAC Credential Information
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of
the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR
encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type
PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
UNICODE_STRING EffectiveName;
UNICODE_STRING FullName;
UNICODE_STRING LogonScript;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved[4];
UNICODE_STRING LogonServer;
UNICODE_STRING LogonDomainName;
PSID LogonDomainId;
ULONG Reserved1[2];
ULONG UserAccountControl;
ULONG Reserved3[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)
} KERB_VALIDATION_INFO;
The fields are defined as follows:
LogonTime - the time the client last logged on.
LogoffTime - the time at which the clients logon session should expire. If the logon session should
not expire, this field should be set to (0x7fffffff,0xffffffff).
KickOffTime - the time at which the server should forcibly logoff the client. If the client should not be
forced off, this field should be set to (0x7fffffff,0xffffffff). The ticket end time is a replacement for the
KickOffTime. The service ticket lifetime will never be longer than the KickOffTime for a user.
PasswordLastSet - the time the clients password was last set. If it was never set, this field is zero.
PasswordCanChange - the time at which the clients password is allowed to change. If there is no
restriction on when the client may change its password, this field should be set to the time of the
logon.
PasswordMustChange - the time at which the clients password expires. If it doesnt expire, this field
is set to (0x7fffffff,0xffffffff).
EffectiveName - This field contains the clients Windows 2000 UserName, stored in the Active
Directory in the SamAccountName property. This field is optional. If left blank the length, maxlength
and buffer are all zero.
FullName - this field contains the friendly name of the client, which is used only for display purpose
and not security purposes. This field is optional. If left blank the length, maxlength and buffer are all
zero.
LogonScript - This field contains the path to the clients logon script. This field is optional. If left blank
the length, maxlength and buffer are all zero.
ProfilePath - This field contains the path to the clients profile. This field is optional. If left blank the
length, maxlength and buffer are all zero.
HomeDirectory - This field contains the path to the clients home directory. It may be either a local
path name or a UNC path name. This field is optional. If left blank the length, maxlength and buffer
are all zero.
HomeDirectoryDrive - This field is only used if the clients home directory is a UNC path name. In that
case, the share on the remote file server is mapped to the local drive letter specified by this field.
This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonCount - This field contains the count of how many times the client is currently logged on. This
statistic is not accurately maintained by Windows 2000 and should not be used.
BadPasswordCount - This field contains the number of logon or password change attempts with
bad passwords, since the last successful attempt.
* UserId - This field contains the relative Id for the client.
PrimaryGroupId - This field contains the relative ID for this clients primary group.
* GroupCount - This field contains the number of groups, within the clients domain, to which the
client is a member.
* GroupIds - This field contains an array of the relative Ids and attributes of the groups in the clients
domain of which the client is a member.
* UserFlags - This field contains information about which fields in this structure are valid. The two bits
that may be set are indicated below. Having these flags set indicates that the corresponding fields
in the KERB_VALIDATION_INFO structure are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonServer - This field contains the NETBIOS name of the KDC which performed the AS ticket
request.
LogonDomainName - This field contains the NETBIOS name of the clients domain.
* LogonDomainId - This field contains the SID of the clients domain. This field is used in conjunction
with the UserId, PrimaryGroupId,and GroupIds fields to create the user and group SIDs for the client.
UserAccountControl - This fields contains a bitfield of information about the clients account. Valid
values are:
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)
* SidCount - This field contains the number of SIDs present in the ExtraSids field. This field is only valid
if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ExtraSids - This field contains a list of SIDs for groups to which the user is a member. This field is only
valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ResouceGroupCount - This field contains the number of resource groups in the ResourceGroupIds
field. This field is only valid if the LOGON RESOURCE_GROUPS flag has been set in the UserFlags
field._
* ResourceGroupDomainSid - This field contains the SID of the resource domain. This field is used in
conjunction with the ResourceGroupIds field to create the group SIDs for the client.
* ResourceGroupIds - This field contains an array of the relative Ids and attributes of the groups in
the resource domain of which the resource is a member.
Fields marked with a '*' are used in the NT token.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The FILETIME type is defined as
follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;
Times are encoded as the number of 100 nanosecond increments since January 1, 1601, in UTC
time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The UNICODE_STRING structure is
defined as:
typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
} UNICODE_STRING;
The Length field contains the number of bytes in the string, not including the null terminator, and the
MaximumLength field contains the total number of bytes in the buffer containing the string.
The GROUP_MEMBERSHIP structure contains the relative ID of a group and the corresponding
attributes for the group.
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
The group attributes must be:
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
The constant value for the NT Authority is:
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)
} SID, *PSID;
The SubAuthorityCount field contains the number of elements in the actual SubAuthority
conformant array. The maximum number of subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and their corresponding
attributes:
typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
The attributes are the same as the group attributes defined above.
Client Information
The client information is included in the PAC to allow a server to verify that the PAC in a ticket is
applicable to the client of the ticket, which prevents splicing of PACs between tickets. The
PAC_CLIENT_INFO structure is included in a PAC_INFO_BUFFER of type PAC_CLIENT_INFO_TYPE.
typedef struct _PAC_CLIENT_INFO {
FILETIME ClientId;
USHORT NameLength;
WCHAR Name[1];
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
The fields are defined as follows:
ClientId - This field contains a conversion of the AuthTime field of the ticket into a FILETIME structure.
NameLength - This field contains the length, in bytes, of the Name field.
Name - This field contains the client name from the ticket, converted to Unicode and encoded
using "/" to separate parts of the client principal name with an "@" separating the client principal
name from the realm name. The string is not null terminated.
Supplemental Credentials
The KDC may return supplemental credentials in the PAC as well. Supplemental credentials are
data associated with a security package that is private to that package. They can be used to
return an appropriate user key that is specific to that package for the purposes of authentication.
Supplemental creds are only used in conjunction with PKINIT[2]. Supplemental credentials are
always encrypted using the client key. The PAC_CREDENTIAL_DATA structure is NDR encoded and
then encrypted with the key used to encrypt the KDCs reply to the client. The
PAC_CREDENTIAL_INFO structure is included in PAC_INFO_BUFFER of type PAC_CREDENTIAL_TYPE.
Supplemental credentials for a single package are NDR encoded as follows:
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
[size_is(CredentialSize)]PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
The fields in this structure are defined as follows:
PackageName - This field contains the name of the package for which credentials are presented.
CredentialSize - This field contains the length, in bytes, of the presented credentials.
Credentials - This field contains a pointer to the credential data.
The set of all supplemental credentials is NDR encoded in a PAC_CREDENTIAL_DATA structure:
typedef struct _PAC_CREDENTIAL_DATA {
ULONG CredentialCount;
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
} PAC_CREDENTIAL_DATA, *PPAC_CREDENTIAL_DATA;
The fields are defined as follows:
CredentialCount - This field contains the number of credential present in the Credentials array.
Credentials - This field contains an array of the presented supplemental credentials.
The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to
encrypt the KDC reply. The resulting buffer is returned in the following structure:
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR Data[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;
The fields are defined as follows:
Version - This field contains the version field of the key used to encrypt the data, or zero if the field is
not present.
EncryptType - This field contains the encryption type used to encrypt the data. The encryption type
uses the same values as the defined encryptions types for Kerberos [1].
Data - This field contains an array of bytes containing the encrypted supplemental credential data.
Signatures
The PAC contains two digital signatures: one using the key of the server, and one using the key of
the KDC. The signatures are present for two reasons. First, the signature with the servers key is
present to prevent a client from generating their own PAC and sending it to the KDC as encrypted
authorization data to be included in tickets. Second, the signature with the KDCs key is present to
prevent an untrusted service from forging a ticket to itself with an invalid PAC. The two signatures
are sent in PAC_INFO_BUFFERs of type PAC_SERVER_CHECKSUM and PAC_KDC_CHECKSUM
respectively.
The signatures are contained in the following structure:
typedef struct _PAC_SIGNATURE_DATA {
ULONG SignatureType;
UCHAR Signature[1];
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
The fields are defined as follows:
SignatureType - This field contains the type of checksum used to create a signature. The checksum
must be a keyed checksum.
Signature - This field consists of an array of bytes containing the checksum data. The length of bytes
may be determined by the wrapping PAC_INFO_BUFFER structure.
For the servers checksum, the key used to generate the signature should be the same key used to
encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the servers TGT
should be used. The Key used to encrypt ticket-granting tickets is used to generate the KDCs
checksum.
The checksums are computed as follows:
1. The complete PAC is built, including space for both checksums
2. The data portion of both checksums is zeroed.
3. The entire PAC structure is checksummed with the servers key, and the result is stored in the
servers checksum structure.
4. The servers checksum is then checksummed with the KDC's key.
5. The checksum with the KDC key is stored in the KDC's checksum structure.
PAC Request Pre-Auth Data
Normally, the PAC is included in every pre-authenticated ticket received from an AS request.
However, a client may also explicitly request either to include or to not include the PAC. This is done
by sending the PAC-REQUEST preauth data.
KERB-PA-PAC-REQUEST
include-pac[0] BOOLEAN -- if TRUE, and no PAC present,
-- include PAC.
---If FALSE, and PAC
-- present, remove PAC
}
The fields are defined as follows:
include-pac - This field indicates whether a PAC should be included or not. If the value is TRUE, a
PAC will be included independent of other preauth data. If the value is FALSE, then no PAC will be
included, even if other preauth data is present.
The preauth ID is:
#define KRB5_PADATA_PAC_REQUEST 128
References
1 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network Authentication Service (V5)", draft-ietf-cat-kerberos-
revisions-05.txt, March 10, 2000
2 Tung, B., Hur, M., Medvinsky, A., Medvinsky, S., Wray, J., Trostle, J., " Public Key Cryptography for
Initial Authentication in Kerberos", draft-ietf-cat-kerberos-pk-init-11.txt, March 15, 2000
) 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
Just because the information contained in the doc is a trade secret, doesn't mean that the doc itself has no protection. It's no different from grabbing a Word doc of Ender's Game and throwing it on the web, sans copyright information.
--Matthew
Since we release our source code for the world to see, we should take the same precautions with their specifications, right? Since the precaution we take is by applying the GPL to our source, the same should be done with their spec. I guess they forgot that not everyone has been assimilated yet.
--
Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
Heres a good loophole. Install Winrar, right click on the icon and select OPEN WITH WINRAR, extract the file. Whats a license? I never saw one..
SB.
> Of course the /. folks go silly over a
> boilerplate licensing agreement
Come now, this is hardly a "boilerplate licensing agreement". This is a deliberate attempt to keep control of the spec. and make it unimplementable in open code.
This is not what *anyone* in the Open Source community or at MIT had in mind when they asked Microsoft for the spec, something I have personally been doing for 2+ years.
> I don't want to say who I am but I'm "in the
> know"
Yeah, yeah, easy to say anonymously. I'd feel happier seeing a statement from folks I actually *know* and trust at Microsoft that this was a licensing screwup that will get fixed soon, but I'm not holding my breath.
Regards,
Jeremy Allison,
Samba Team.
> I think is that in order for their SMB client
> (ie, microsoft networking) to use Kerberos
> authentication when connecting to an SMB file
> server, it requires the use
> of their proprietary extension to kerberos, the
> priveledge attribute certificate - PAC.
> Apparently the Samba developers ran into this
> problem while trying to add kerberos support to
> samba and make it work with windows 2000
No, this is not true at all. Samba doesn't *need* this PAC format except as an optimization. See my posting below in this.
The MIT kerberos and Heimdal developers need to implement this PAC format, something explicitly denied to them in this license.
Regards,
Jeremy Allison,
Samba Team.
Not sure what a court would make any of this.. a proprietary grab at an IETF task force submission (itself similar to the patent application for stylesheets last year).
Maybe the answer is to get some 15-year-old programmers to merge this into the Samba, OpenLDAP and standard Kerberos code trees.
In any case, this certainly poisons the well. Releasing the specs of their changes like this is worse than keeping it closed: it will make it extremely difficult for an unpolluted clean-room implementation of the modified protocol to be accepted into anything, as anyone who has reviewed this spec may well be barred from participating in even a reverse-engineered implementation.
This is brilliantly evil.
I wonder if the PDFs are individually watermarked to track *who* leaked a given copy. I don't think I've ever seen Microsoft publish anything as a PDF before. They usually pass this stuff out as HTML or a Word document.
Yes we do. With a +2 rating.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
embrace -> extend
In open source, this is the process:
embrace -> extend -> publish extensions
Open source advocates are very happy to back extension and improvement of a standard as long as it is a PUBLISHED standard. When a company adds an extension and refuses to publish it, they create incompatibility (or in other parlance, competitive advantage).
Microsoft, historically, has extended things purely as a means of maintaining control. They don't actually enhance anything, they just attempt to maintain their monopoly. This appears to be yet another case of the same thing.
---
This sig has been temporarily disconnected or is no longer in service
Isn't it true that minors can't agree to such licenses, or something like that? If so, I could have my lil bro download and click, then I could copy the PDF elsewhere.. hehe
I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.
I wouldn't do that. It's still copyrighted, and if you are associated with any group that "reverse engineers" the specs, whatever prodcut you create could get tied up in court for a long time. Distributing MS's copyrighted info could also get you into legal hot water.
Now, if you're up for some work, what you could do is rewrite the whole thing, while preserving the ideas - copyright doesn't cover that. Or you could tell people how to get this. But don't make yourself a target for MS's legal division; that's completely unnecessary.
So what happens if someone in Usbekistan grabs the specs and puts them up on the net? Does this then make them publicly available and the person who did this liable for prosecution in a country that could not care less anyway?
The GPL (for instance) is routinely ignored in China so China would seem be another good candidate.
Mielipiteet omiani - Opinions personal, facts suspect.
Does this hamper legitimate reverse-engineering of the product?
Before, the implementation details were not known except for inside microsoft, so if someone implemented it, it was assumed that they reverse-engineered it. If MS wanted to say that secrets were stolen from within MS, then MS had the burden of proof.
Now, the details are out in the open, but unusable. So if someone implements it now, it's up to them to prove that they used clean room reverse-engineering. Furthermore, they might have to show that those in the clean room had never seen the public-but-secret document before.
--
Now, I trust Microsfoft not as far one can comfortably spit a rat, but was there any call yet to verify if this was a lapse? "Slap on the usual license.." or such?
I admire your charity..... but this is definitely not your usual license. Calling it a trade secret, and then adding the deliberate amplification that you're not allowed to create implementations of the specification is definitely not a stock legal license. This was something very carefully crafted to preserve a monopoly situation with respect to implementations of their propietary extensions of an Open IETF standard.
This very carefully allows Microsoft to throw sand in the arguments of people who are complain that they part of the security protocols are secret, as Bruce Schinier recently complained. But at the same time, it doesn't allow anyone else to implement a compatible implementations. Obviously, they're still pissed that you can implement things like Samba, so that windows boxes can be served by Unix boxes. Windows 2000 is a way of trying to head that off.
What can people do? Posting the pdf file on various web sites, as some people have done or threatened to do, isn't particularly helpful. In fact, to the extent that it makes it harder for people who are working on reverse engineering the protocol to prove that they weren't tainted with information that came from a trade-secret contaminated source, it actually can be doing people a real disservice.
What you can do is tell all your friends about what Microsoft is doing, especially those folks who work in I/T departments. Get them to understand why accepting a Windows 2000 deployment isn't in their company's long-term interest, since it will eventually put them under the monopoly thumb of Microsoft. We can't trust the DOJ to protect us. We have to get the word out there, and protect ourselves. Remember, if you don't use Propietary Microsoft code, then you can't get caught by Microsoft's games.
You're wish has been granted: kerberos.pdf
Say no to software patents.
Download it here. It's unzipped, and that pesky footer on each page has been removed too. Enjoy!
Say no to software patents.
whilst making it completely impossible to implement in competiting implementations which implements their propietary protocol extensions
Huh? It looks to me like these conditions just specify what is required to gain access to the specification...I don't see anything that prohibits development competing implementation without Microsoft's consent. This agreement simply allows Microsoft to keep track of who sees the spec, nothing more.
You can speculate on how they use this information, and how they might react in the future when competing implementations do appear, but that has nothing to do with who can or can't implement the extensions themselves.
Erm... we need a new /. moderator category: "illegal"
INAL, but I believe that things of the nature of this "trade secret" fall under the same logic as copyrights - that is, as long as the provider, Microsoft, has made a good faith attempt to inform the recipients that the material has certain restrictions - which they have done - the material, and the recipient(s) are indeed bound by the restrictions (unless the restrictions themselves are found to be illegal). You can't download the information directly from MS without being informed of the existence of the license, and thus (assuming the license itself is legal), you are bound by it even if you creatively bypass the license itself.
While individuals who may happen to receive the information through non-MS distribution channels are probably not breaking the license (if they can plausibly be unaware of its existence and circumvention), this is not to say that they are not bound by the "thou shalt not implement" clause, as this right was never bestowed by MS upon the original recipient.
This would be analagous to me stealing something from CmdrTaco and giving it to you, not telling you where I got it from. You don't suddenly own the object, even though you didn't know it was stolen, and would be required to return it to CmdrTaco - and most likely any economic loss you suffered would be owed to you by me, the person who broke the law in the first place.
-User
Emacs is for experts. Pico is for beginners. VI is a disease.
when you can simply ignore it and continue using the REAL kerberos protocol(if you wish). Microsoft is trying to be sneaky by saying "maybe if we make it seem like we don't want people to use this they will use it even more." Look through it and realize that apps written utilizing this protocol will only tell Microsoft that their little ploy worked. If it keels over and dies they might realize "hah maybe we should just stick to the REAL protocols." I'm not an expert in the way all that stuff works but it seems fairly obvious to me what they're trying to do
Who would have thought that you could publish a trade secret on the web
Oh dam, I bet that is why I was fired from Coke-a-cola... it is all so clear now.
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
"Cerberus" is the three-headed dog from Greek mythology, if you pass the name through a Latin filter first. (Latin doesn't use K much, and "us" is a more common ending in Latin.) If you try to be faithful to the Greek, which has Kappa Epsilon Rho Beta Epsilon Rho Omicron Sigma -- you get Kerberos.
"Cerebus", on the other hand, is an aardvark with an attitude, from the comic book of the same name, written and drawn by Dave Sim.
If somebody were to accidentally-brutally table this as evidence in a court case, it would become a matter of public record Be a shame that.
That's the way to do it. Propose an extension of Kerberos that uses this field. After all, there's no published use for this field by anybody, so it's free for the using, right? :-)
.pdf file to do it -- we're not implementing a compatible version, now are we? And after reviewing the MS doc "for security analysis", we decided that it wasn't quite up to snuff in the security arena (because it doesn't allow for secure authentication with non-MS systems).
Make it similar to but not the same as what MS is doing so that MS's version is broken. (Gee, where have we seen that tactic before?). And we could even use the
What happens to the people that implement it (ie. the Samba guys) even if they obtain the information without intentionally breaking the license. Are they exposing themselves to expensive litigation? Are they endangering the project?
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.
The bigger issue here is that spreading stuff that Microsoft has indicated is not for distribution (and implementation) is no more morally respectable than someone ignoring inconvenient provisions in the Gnu General Public License. There may be a legal question as to whether anyone requires a license from Microsoft to implement any kind of spec, but taking the attitude that we have the right to take possession of their stuff is problematic at best.
We don't want people to get the idea that free software / open source software people are thieves, we want them to get the idea that we are better because we are willing to do hard work on our own.
Until a lawyer comes along and officially says that Microsoft's attempt at doing an orwellian double think specification release runs afoul of the law, leave this stuff alone.
- jon
Ganymede, a GPL'ed metadirectory for UNIX
Remeber the AOL vs. IM debacle? When AOL refused to allow IM to work with AIM, Microsoft wanted a standards agency to govern some sort of instant message standard. Well, well, well, now we have a real, open RFC standard defining Kerberos, but do they want it?
This is typical Microsoft. They have some of the most excellent coders, and excellent people in other fields working there, but they also have some of the most selfish policies in the industry.
The wheel is turning but the hamster is dead.
The wheel is turning, but the hamster is dead.
It's printed on every page. Extracting it from the file without reading that license gets you nowhere, cos the first paragraph says you have to have licensed it to read further. And then it's at the bottom of every page after that.
Extracting it from the cab file doesn't do you any good. It certainly doesn't let you bypass the license.
Hokey statistics and ancient misconceptions are no match for a good thought in your head, kid!
at least as great as the precautions you take to protect your own confidential information
/don't/ take any precautions to protect my confidential information?
/do/ take aren't that great?
;)
Well hrm....what if I
Or less crazy, what if the precautions I
Just a thought...
Besides, shouldn't we be at least somewhat glad they did THIS. They didn't HAVE to. And yeah it's still stupid that they messed with Kerberos, but this is one step farther that they wouldn't have gone before.
So far they're acting better then nVidia.
Oooo, that's gonna piss someone off
Well, you got to give Microsoft credit. Their ability to reveal their additions to a perfectly good public standard in such a way as to remain propretary is certainly innovative.
Remember, you're allowed to try to *obtain* a trade secret, and once you do, if you haven't agreed to anything, it's no longer a secret.
.exe, without running it or agreeing to anything, that's well and good.
Trade secrets enjoy very little legal protection, unlike other kinds of information. They can't sue you for infringement, for instance.
So, if someone is able to *extract* the information from the
Trade secrets are a poor form of "security".
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
the Specification is provided...for the sole purpose of reviewing the Specification for security analysis.
And later: Microsoft does not grant you any right to implement this Specification.
I guess, if you want to make anything else out of it, you'd be in violation of everything and anything...
Anonymous computer time at Kinkos: $.20/minute...
Anonymous Geocities site to host the file: $0.00
The looks on Gates and Ballmer's faces as their "trade secret" is mirrored on thousands of sites worldwide....
... Priceless!
john
Imagine all the people...
win2000 actually will work with standard Kerberos services, to an extent. For instance, I set up a win2k workstation to authenticate logons against a unix KDC. You can also do some other small things, like ticket management while using a standard Kerberos KDC. But that is about the extent of their support for standard kerberos, at least as far as I know. The telnet and FTP clients are not Kerberized, and nothing in internet explorer is as far as I could tell.
The problem raised in this article I think is that in order for their SMB client (ie, microsoft networking) to use Kerberos authentication when connecting to an SMB file server, it requires the use of their proprietary extension to kerberos, the priveledge attribute certificate - PAC. Apparently the Samba developers ran into this problem while trying to add kerberos support to samba and make it work with windows 2000 (using Kerberos authentication. Samba will still work with win2k using the older auth methods).
So win2k does support standard kerberos, but not in enough applications (like file sharing, telnet, ftp, IE) for users to actually do anything usefull when working with a unix KDC. I suppose they might have just added this support so they could say win2k is compliant with that standard. If they ever do implement kerberos in any of their other apps, some of which I mentioned, it will probably be equally broken.
As most Microsoft's self-extracting files, this one is only a CAB file and therefore, you can simply use a program like WinZip to extract the PDF document.
I'm amazed. Truely amazed. Given that nobody could be under any illusions at all that Microsoft was very much in the eye of the world at a time when the abuse of monopoly power has just been acknowledged by the courts, you would have thought that Microsoft would be on its best behaviour until the dust settled. But no.
And it's not just the Kerberos 'embrace and extend' play which has surfaced. The story going around about the Bill Gates 'smoking gun' memo on altering Windows 2000 apps to make life harder for people with Palm Pilots has also just appeared. A large part of the DOJ/ US States proposal is that MS be split up *and* be subjected to 3 years of scrutiny under fairly draconian terms. So the last thing that MS could possibly want is to make the need for scrutiny mandatory and yet this is, in all effective purposes, exactly what moves like this are liable to do - leave the courts/govt no choice except to constantly sit on the coat tails of MS and see where they are going.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
It's not like companies don't get around this stuff all the time. It just takes a little more effort. You need to have a double blind. Basically doing the same thing that Compaq did with IBM's BIOS on the PC.
The first part is person to write a spec. This spec. should detail how you want something to work. "When the client does X the server should respond with Y". Etc. etc.
This person will have no other role. This person should not be associated with the developement of the MS extentions. Nor should he know any of the people who will be working on this.
His work should be handed to a third party who will deliver his spec to the developement team. Reverse engineering shall begin. It's a pain to do, but it is workable.
At any case there should be a nice stink made about this. I suggest that anyone who is a microsoft support customer contact your TAM or GTAM and let them know that this stinks.
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.s .
::= SEQUENCE {
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 1 of 12
Microsoft Authorization Data Specification v. 1.0
for Microsoft Windows 2000 Operating Systems
April, 2000
© 2000 Microsoft Corporation.
All rights reserved.
Microsoft Confidential
Please review this Specification copy only if you licensed and downloaded it from Microsoft
Corporation's website; if you did not, please destroy this copy, but you are welcome to license the
Specification at http://www.microsoft.com/technet/security/kerbero
If you are an authorized licensee, when you downloaded the following Specification, you agreed
to the Agreement for Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000
Operating Systems (the "Agreement"). For your future reference, that Agreement is reproduced at
the end of this document.
Abstract
Microsoft Windows 2000 includes OS specific data in the Kerberos V5 authorization data field that is
used for authorization as described in the Kerberos revisions Internet Draft [1]. This data is used for
user logon and to create an access token. The access token is used by the system to enforce
access checking when attempting to reference objects. This document describes the structure of
the Windows 2000 specific authorization data that is carried in that field.
Top-Level PAC Structure
The PAC is generated by the KDC under the following conditions:
during an AS request that has been validated with pre-authentication
during a TGS request when the client has no PAC and the target is a service in the domain or a
ticket granting service (referral ticket).
The PAC itself is included in the IF-RELEVANT (ID 1) portion of the authorization data in a ticket.
Within the IF-RELEVANT portion, it is encoded as a KERB_AUTH_DATA_PAC with ID 128.
The PAC is defined as a C data type, with integers encoded in little-endian order. The PAC itself is
made up of several layers. The outer structure, contained directly in the authorization data, is as
follows. The top-level structure is the PACTYPE structure:
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 2 of 12
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
ULONG cBuffers;
ULONG Version;
PAC_INFO_BUFFER Buffers[1];
} PACTYPE;
The fields are defined as follows:
cBuffers - contains the number of entries in the array Buffers
Version - this is version zero
Buffers - contains a conformant array of PAC_INFO_BUFFER structures
The PAC_INFO_BUFFER structure contains information about each piece of the PAC:
typedef struct _PAC_INFO_BUFFER {
ULONG ulType;
ULONG cbBufferSize;
ULONG64 Offset;
} PAC_INFO_BUFFER;
Type fields are defined as follows:
ulType - contains the type of data contained in this buffer. For Windows 2000, it may be one of the
following, which are explained further below:
#define PAC_LOGON_INFO 1
#define PAC_CREDENTIAL_TYPE 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10
Offset - contains the offset to the beginning of the data, in bytes, from the beginning of the
PACTYPE structure. The data offset must by a multiple of 8. If the data pointed to by this field is
complex, the data is typically NDR encoded. If the data is simple (indicating it includes no pointer
types or complex structures) it is a little-endian format data structure.
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 3 of 12
PAC Credential Information
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of
the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR
encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type
PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
UNICODE_STRING EffectiveName;
UNICODE_STRING FullName;
UNICODE_STRING LogonScript;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved[4];
UNICODE_STRING LogonServer;
UNICODE_STRING LogonDomainName;
PSID LogonDomainId;
ULONG Reserved1[2];
ULONG UserAccountControl;
ULONG Reserved3[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;
The fields are defined as follows:
LogonTime - the time the client last logged on.
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 4 of 12
LogoffTime - the time at which the client's logon session should expire. If the logon session should
not expire, this field should be set to (0x7fffffff,0xffffffff).
KickOffTime - the time at which the server should forcibly logoff the client. If the client should not be
forced off, this field should be set to (0x7fffffff,0xffffffff). The ticket end time is a replacement for the
KickOffTime. The service ticket lifetime will never be longer than the KickOffTime for a user.
PasswordLastSet - the time the client's password was last set. If it was never set, this field is zero.
PasswordCanChange - the time at which the client's password is allowed to change. If there is no
restriction on when the client may change its password, this field should be set to the time of the
logon.
PasswordMustChange - the time at which the client's password expires. If it doesn't expire, this field
is set to (0x7fffffff,0xffffffff).
EffectiveName - This field contains the client's Windows 2000 UserName, stored in the Active
Directory in the SamAccountName property. This field is optional. If left blank the length, maxlength
and buffer are all zero.
FullName - this field contains the friendly name of the client, which is used only for display purpose
and not security purposes. This field is optional. If left blank the length, maxlength and buffer are all
zero.
LogonScript - This field contains the path to the client's logon script. This field is optional. If left blank
the length, maxlength and buffer are all zero.
ProfilePath - This field contains the path to the client's profile. This field is optional. If left blank the
length, maxlength and buffer are all zero.
HomeDirectory - This field contains the path to the client's home directory. It may be either a local
path name or a UNC path name. This field is optional. If left blank the length, maxlength and buffer
are all zero.
HomeDirectoryDrive - This field is only used if the client's home directory is a UNC path name. In that
case, the share on the remote file server is mapped to the local drive letter specified by this field.
This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonCount - This field contains the count of how many times the client is currently logged on. This
statistic is not accurately maintained by Windows 2000 and should not be used.
BadPasswordCount - This field contains the number of logon or password change attempts with
bad passwords, since the last successful attempt.
* UserId - This field contains the relative Id for the client.
PrimaryGroupId - This field contains the relative ID for this client's primary group.
* GroupCount - This field contains the number of groups, within the client's domain, to which the
client is a member.
* GroupIds - This field contains an array of the relative Ids and attributes of the groups in the client's
domain of which the client is a member.
* UserFlags - This field contains information about which fields in this structure are valid. The two bits
that may be set are indicated below. Having these flags set indicates that the corresponding fields
in the KERB_VALIDATION_INFO structure are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonServer - This field contains the NETBIOS name of the KDC which performed the AS ticket
request.
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 5 of 12
LogonDomainName - This field contains the NETBIOS name of the client's domain.
* LogonDomainId - This field contains the SID of the client's domain. This field is used in conjunction
with the UserId, PrimaryGroupId,and GroupIds fields to create the user and group SIDs for the client.
UserAccountControl - This fields contains a bitfield of information about the client's account. Valid
values are:
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)
* SidCount - This field contains the number of SIDs present in the ExtraSids field. This field is only valid
if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ExtraSids - This field contains a list of SIDs for groups to which the user is a member. This field is only
valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ResouceGroupCount - This field contains the number of resource groups in the ResourceGroupIds
field. This field is only valid if the LOGON RESOURCE_GROUPS flag has been set in the UserFlags
field._
* ResourceGroupDomainSid - This field contains the SID of the resource domain. This field is used in
conjunction with the ResourceGroupIds field to create the group SIDs for the client.
* ResourceGroupIds - This field contains an array of the relative Ids and attributes of the groups in
the resource domain of which the resource is a member.
Fields marked with a '*' are used in the NT token.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The FILETIME type is defined as
follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 6 of 12
Times are encoded as the number of 100 nanosecond increments since January 1, 1601, in UTC
time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The UNICODE_STRING structure is
defined as:
typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
} UNICODE_STRING;
The Length field contains the number of bytes in the string, not including the null terminator, and the
MaximumLength field contains the total number of bytes in the buffer containing the string.
The GROUP_MEMBERSHIP structure contains the relative ID of a group and the corresponding
attributes for the group.
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
The group attributes must be:
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
The constant value for the NT Authority is:
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 7 of 12
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
} SID, *PSID;
The SubAuthorityCount field contains the number of elements in the actual SubAuthority
conformant array. The maximum number of subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and their corresponding
attributes:
typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
The attributes are the same as the group attributes defined above.
Client Information
The client information is included in the PAC to allow a server to verify that the PAC in a ticket is
applicable to the client of the ticket, which prevents splicing of PACs between tickets. The
PAC_CLIENT_INFO structure is included in a PAC_INFO_BUFFER of type PAC_CLIENT_INFO_TYPE.
typedef struct _PAC_CLIENT_INFO {
FILETIME ClientId;
USHORT NameLength;
WCHAR Name[1];
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
The fields are defined as follows:
ClientId - This field contains a conversion of the AuthTime field of the ticket into a FILETIME structure.
NameLength - This field contains the length, in bytes, of the Name field.
Name - This field contains the client name from the ticket, converted to Unicode and encoded
using "/" to separate parts of the client principal name with an "@" separating the client principal
name from the realm name. The string is not null terminated.
Supplemental Credentials
The KDC may return supplemental credentials in the PAC as well. Supplemental credentials are
data associated with a security package that is private to that package. They can be used to
return an appropriate user key that is specific to that package for the purposes of authentication.
Supplemental creds are only used in conjunction with PKINIT[2]. Supplemental credentials are
always encrypted using the client key. The PAC_CREDENTIAL_DATA structure is NDR encoded and
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 8 of 12
then encrypted with the key used to encrypt the KDC's reply to the client. The
PAC_CREDENTIAL_INFO structure is included in PAC_INFO_BUFFER of type PAC_CREDENTIAL_TYPE.
Supplemental credentials for a single package are NDR encoded as follows:
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
[size_is(CredentialSize)]PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
The fields in this structure are defined as follows:
PackageName - This field contains the name of the package for which credentials are presented.
CredentialSize - This field contains the length, in bytes, of the presented credentials.
Credentials - This field contains a pointer to the credential data.
The set of all supplemental credentials is NDR encoded in a PAC_CREDENTIAL_DATA structure:
typedef struct _PAC_CREDENTIAL_DATA {
ULONG CredentialCount;
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
} PAC_CREDENTIAL_DATA, *PPAC_CREDENTIAL_DATA;
The fields are defined as follows:
CredentialCount - This field contains the number of credential present in the Credentials array.
Credentials - This field contains an array of the presented supplemental credentials.
The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to
encrypt the KDC reply. The resulting buffer is returned in the following structure:
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR Data[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;
The fields are defined as follows:
Version - This field contains the version field of the key used to encrypt the data, or zero if the field is
not present.
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 9 of 12
EncryptType - This field contains the encryption type used to encrypt the data. The encryption type
uses the same values as the defined encryptions types for Kerberos [1].
Data - This field contains an array of bytes containing the encrypted supplemental credential data.
Signatures
The PAC contains two digital signatures: one using the key of the server, and one using the key of
the KDC. The signatures are present for two reasons. First, the signature with the server's key is
present to prevent a client from generating their own PAC and sending it to the KDC as encrypted
authorization data to be included in tickets. Second, the signature with the KDC's key is present to
prevent an untrusted service from forging a ticket to itself with an invalid PAC. The two signatures
are sent in PAC_INFO_BUFFERs of type PAC_SERVER_CHECKSUM and PAC_KDC_CHECKSUM
respectively.
The signatures are contained in the following structure:
typedef struct _PAC_SIGNATURE_DATA {
ULONG SignatureType;
UCHAR Signature[1];
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
The fields are defined as follows:
SignatureType - This field contains the type of checksum used to create a signature. The checksum
must be a keyed checksum.
Signature - This field consists of an array of bytes containing the checksum data. The length of bytes
may be determined by the wrapping PAC_INFO_BUFFER structure.
For the server's checksum, the key used to generate the signature should be the same key used to
encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the server's TGT
should be used. The Key used to encrypt ticket-granting tickets is used to generate the KDC's
checksum.
The checksums are computed as follows:
1. The complete PAC is built, including space for both checksums
2. The data portion of both checksums is zeroed.
3. The entire PAC structure is checksummed with the server's key, and the result is stored in the
server's checksum structure.
4. The server's checksum is then checksummed with the KDC's key.
5. The checksum with the KDC key is stored in the KDC's checksum structure.
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
This Specification is provided pursuant to the terms and conditions of the Agreement for Microsoft Authorization Data Specification
v. 1.0 for Microsoft Windows 2000 Operating Systems (the "Agreement") for the sole purpose of allowing review of the
Specification for security analysis, as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an authorized licensee of the Specification.
Page 10 of 12
PAC Request Pre-Auth Data
Normally, the PAC is included in every pre-authenticated ticket received from an AS request.
However, a client may also explicitly request either to include or to not include the PAC. This is done
by sending the PAC-REQUEST preauth data.
KERB-PA-PAC-REQUEST
include-pac[0] BOOLEAN -- if TRUE, and no PAC present,
-- include PAC.
---If FALSE, and PAC
-- present, remove PAC
}
The fields are defined as follows:
include-pac - This field indicates whether a PAC should be included or not. If the value is TRUE, a
PAC will be included independent of other preauth data. If the value is FALSE, then no PAC will be
included, even if other preauth data is present.
The preauth ID is:
#define KRB5_PADATA_PAC_REQUEST 128
References
1 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network Authentication Service (V5)", draft-ietf-cat-kerberos-
revisions-05.txt, March 10, 2000
2 Tung, B., Hur, M., Medvinsky, A., Medvinsky, S., Wray, J., Trostle, J., " Public Key Cryptography for
Initial Authentication in Kerberos", draft-ietf-cat-kerberos-pk-init-11.txt, March 15, 2000
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
Page 11 of 12
Legal Notice
This Specification is provided to you pursuant to the terms and conditions of the Agreement for
Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000 Operating Systems (the
"Agreement") for the sole purpose of allowing you to review the Specification for security analysis,
as further specified in the Agreement. If you have not downloaded the Specification from
Microsoft's website and agreed to the terms and conditions of the Agreement, you are not an
authorized licensee of the Specification.
For your reference, the Agreement is reproduced below.
Agreement for Microsoft Authorization Data Specification v. 1.0
for Microsoft Windows 2000 Operating Systems
IMPORTANT--READ CAREFULLY: This Microsoft Agreement ("Agreement") is a legal agreement between you (either
an individual or a single entity) and Microsoft Corporation ("Microsoft") for the version of the Microsoft
specification identified above which you are about to download ("Specification"). BY DOWNLOADING,
COPYING OR OTHERWISE USING THE SPECIFICATION, YOU AGREE TO BE BOUND BY THE TERMS OF THIS
AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT DOWNLOAD, COPY, OR USE THE
SPECIFICATION.
The Specification is owned by Microsoft or its suppliers and is protected by copyright laws and international
copyright treaties, as well as other intellectual property laws and treaties.
1. LICENSE.
(a) Provided that you comply with all terms and conditions of this Agreement, including without limitation
subsections (b)-(d) below, Microsoft grants to you the following non-exclusive, worldwide, royalty-free,
non-transferable, non-sublicenseable license, under any copyrights or trade secrets owned or
licensable by Microsoft without payment of consideration to unaffiliated third parties, to reproduce
and use a reasonable number of copies of the Specification in its entirety for the sole purpose of
reviewing the Specification for security analysis. By way of clarification of the foregoing, the
Specification is provided to you solely for your informational purposes (for review as specified above)
and, pursuant to this Agreement, Microsoft does not grant you any right to implement this
Specification.
(b) The Specification is confidential information and a trade secret of Microsoft. Therefore, you may not
disclose the Specification to anyone else (except as specifically allowed below), and you must take
reasonable security precautions, at least as great as the precautions you take to protect your own
confidential information, to keep the Specification confidential. If you are an entity, you may disclose
the Specification to your full-time employees on a need to know basis, provided that you have
executed appropriate written agreements with your employees sufficient to enable you to comply
with the terms of this Agreement. You are also permitted to discuss the Specification with anyone else
who has downloaded the Specification and agreed to these terms and conditions.
(c) You may not remove any of the copyright notices or other legends from any copy of the
Specification.
(d) Microsoft reserves all other rights it may have in the Specification and any intellectual property therein.
Microsoft may have patents or pending patent applications, trademarks, copyrights, trade secrets or
other intellectual property rights covering subject matter in the Specification. The furnishing of this
Specification does not give you any license to these patents, trademarks, trade secrets, copyrights, or
other intellectual property rights, except as specifically set forth in subsection (a) above with respect
to certain copyrights and trade secrets.
Windows 2000 Kerberos Authorization Data April 2000
© 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.
Page 12 of 12
2. ADDITIONAL LIMITATIONS.
(a) The foregoing license is applicable only to the version of the Specification which you are about to
download. It does not apply to any additional versions of or extensions to the Specification.
(b) Without prejudice to any other rights, Microsoft may terminate this Agreement if you fail to comply
with its terms and conditions. In such event you must destroy all copies of the Specification in your
possession or under your control.
3. INTELLECTUAL PROPERTY RIGHTS. All ownership, title and intellectual property rights in and to the Specification
are owned by Microsoft or its suppliers.
4. DISCLAIMER OF WARRANTIES. To the maximum extent permitted by applicable law, Microsoft and its
suppliers provide the Specification (and all intellectual property therein) AS IS AND WITH ALL FAULTS, and
hereby disclaim all warranties and conditions, either express, implied or statutory, including, but not limited to,
any (if any) implied warranties or conditions of merchantability, of fitness for a particular purpose, and of
accuracy or completeness, all with regard to the Specification and any intellectual property therein. ALSO,
THERE IS NO WARRANTY OR CONDITION OF TITLE OR NON-INFRINGEMENT WITH REGARD TO THE SPECIFICATION
AND ANY INTELLECTUAL PROPERTY THEREIN.
5. EXCLUSION OF DIRECT, INCIDENTAL, CONSEQUENTIAL AND CERTAIN OTHER DAMAGES. TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE FOR ANY
DIRECT, SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, BUT NOT
LIMITED TO, DAMAGES FOR LOSS OF PROFITS OR FOR BUSINESS INTERRUPTION) ARISING OUT OF OR IN ANY WAY
RELATED TO THE USE OF OR INABILITY TO USE THE SPECIFICATION, ANY INTELLECTUAL PROPERTY THEREIN, OR
OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS AGREEMENT, EVEN IF MICROSOFT OR ANY
SUPPLIER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
6. LIMITATION OF LIABILITY AND REMEDIES. Notwithstanding any damages that you might incur for any reason
whatsoever, the entire liability of Microsoft and any of its suppliers under any provision of this Agreement and
your exclusive remedy for all of the foregoing shall be limited to the greater of the amount actually paid by
you for the Specification or U.S.$5.00. The foregoing limitations, exclusions and disclaimers shall apply to the
maximum extent permitted by applicable law, even if any remedy fails its essential purpose.
7. APPLICABLE LAW. This Agreement is governed by the laws of the State of Washington.
8. ENTIRE AGREEMENT. This Agreement is the entire agreement between you and Microsoft relating to the
Specification and it supersedes all prior or contemporaneous oral or written communications, proposals and
representations with respect to the Specification.
I am a law student and do not pretend to be qualified to give legal advice, but I think that the above posts which reveal the "secret" eliminate any basis for Microsoft to call this a trade secret. Once it is in the public, it is not a trade secret.
A similar case was presented in Religious Technology Center v. Netcom, 923 F. Supp. 1231 (N.D. Cal. 1995), where the judge held that RTC was unlikely to succeed in a trade secret suit against someone who had obtained the documents on USENET. The judge said that "although a work posted to an Internet newsgroup remains accessible to the public for only a limited time, once that trade secret has been released into the public domain there is no retrieving it."
Now, the poster may be liable for breaching the contract, but it is no longer a trade secret...
A way to get *permanent* protection over an idea or an implementation is to cause the secret to be leaked illegally.
Then, you sue everybody who implements the idea, at any time in the future, saying that they were inspired, or at least tainted, by the illegal release of the information. Trade secret laws do not allow the use of a secret if 'sufficient protections are taken'.
Previously, I had thought that a company would need a shill to do the publication of the secret; which is of course dangerous if the shill squeals. Microsoft has shown their ability to innovate here; publishing it as a secret sure to be 'improperly' released is a much better scheme.
thad
I love Mondays. On a Monday, anything is possible.
Surely you jest. If failing to read a license causes me not to be bound by it, then maybe I'll just download the Linux kernel code, ignore the license, and call it public domain. Then, if it's public domain (and no longer GPLed), I can compile it and distribute binaries without source.
The license exists, and not reading it has no effect on whether you are licensed or not.
The power of the license, on the other hand, is quite debatable.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Does this hamper legitimate reverse-engineering of the product?
No more than IBM hampered Compaq from reverse-engineering the original IBM-PC BIOS back in '83.
IBM actively published the BIOS specifications for exactly the reason you state -- it made it improbably that anyone technically capable of reverse-engineering it had not been exposed to the "trade secret". They thought it would make bulletproof legal protection.
Compaq had to search wide and far to find a team of engineeres who could swear they had never seen or heard anything about the BIOS "trade secrets". They locked them in a room with a black box version of the IBM-PC, and a second team "outside the room" (since they had been exposed to the trade secrets) would tell them whether they were hot or cold. They reverse-engineered it in one of the most important feats of the computer age.
And they kept detailed logs & journals of every step along the way so that they could prove beyond a doubt that they had succeeded in reverse-engineering the BIOS without seeing the published "secrets".
This may be, alas, further proof of Microsoft's fall -- they truly are becoming like IBM was back then, using tricks and traps to protect themselves rather than building a better mousetrap.
What's sad is that MS, Compaq, et al -- who would not exist without that single feat of engineering -- are more than happy to support laws that would prevent it from happening again (DMCA, etc).
Recursive: Adj. See Recursive.
1. Download the evaluation copy of winzip if you don't already have it.
.pdf file. I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.
2. Download the dumb exe thing.
3. Open Winzip, and then open the exe WITH WINZIP.
4. Extract the PDF without agreeing to the license.
This is what I have done, I did NOT agree (nor did I even SEE) the license, and I now have access to the
-- iCEBaLM
The legal problem with what they're doing is that they're deliberately making their software non-interoperable with published standards. This seems to indicate that they're trying to use their monopoly position to exclude competition, which is illegal.
Yes, that's it in a nutshell. The game here is that they're trying to use their monopoly in the desktop space to dislodge Unix in the server market. One of the ways they do this is by making the Windows 2000 PDC "look" like it embraces open standards, so that the I/T departments in Fortune 500 departments (which up until now have very often used Unix/Linux systems in their back offices) think that using Windows servers, and the Windows 2000 PDC in particular, is mostly harmless.
But the Windows 2000 clients have been architected so that you only get a bunch of cool features if you use their propietary protocol extensions. So it's clear that Microsoft is trying to create a monopoly situation with the Windows 2000 PDC, and once they control enough of the servers, they'll have an even tighter lock on the client market, and vice versa.
In my opinion, the DOJ really should have proposed splitting Microsoft's OS operations into a Client OS company and a Server OS company, in addition to splitting away the Office operations. Unfortunately, given that they've already submitted their proposal, it may be too late to fix things. Simply splitting the Office group away isn't going to stop Microsoft from playing dirty tricks in the client/server OS space, just as they've done here.
If they're not conformant with a open and trademarked standard, they should not be allowed to say they are. Actually, even if it's not trademarked, I wonder if you could sue them for fraudulently misleading the customer into believing the OS will work seamlessly in their existing Kerberos network.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
to keep it secret. Put the pdf file on an IIS server. No one will find it there because there are no IIS exploits.