Microsoft vs. Slashdot Update

I spent some of yesterday and part of today (Saturday) on the phone with our law firm's intellectual property specialist dicussing Microsoft's attempt to get us to remove reader posts about Kerberos. We're lucky to have a lawyer who "gets it." We're also lucky to have gotten some very favorable press about all of this.

But, sadly, I can't really tell you much more right now than "we're still working on it" for two reasons:

• We're exploring a lot of angles and doing a lot of research, and in order to maintain attorney-client privilege we must keep all discussions with our lawyer *extremely* private.
• Microsoft's legal people (obviously) read Slashdot.

I have scanned every single reader post on this subject, and some of them have contained *very* helpful suggestions. It hurts me not to be able to share more, especially with those of you who have given us useful advice.

Meanwhile, Andover.net's management has been totally supportive. Our President, Bruce Twickler, deserves special thanks for his staunch backing and general coolheadedness. And our VP of Corporate Communications, Janet Holian, has done an excellent job of getting information out to other media while letting us work (comparatively) undisturbed.

There are also rays of light from the other end. I've gotten a small but steady trickle of e-mailed support messages from Microsoft workers who are embarrassed by their employer's actions both in rudely extending Kerberos and their attempt to "publish" their proprietary Kerberos extensions while still trying to keep them hidden behind a non-disclosure agreement.

Please bear in mind that many Microsoft employees are perfectly nice people. For all we know, the nice people at Microsoft may yet persuade the not-so-nice ones that there are times when it's better to work with others to establish industry-wide standards than it is to act as if the freedom to innovate belongs only to Microsoft.

(Special message to nice Microsoft people: Here's a quote you may wish to call to your bosses' attention: "...Kerberos is a multivendor standard, so it allows secure interoperability and the potential for single sign-on between the Microsoft world and other vendor environments." If they ask where you got these words, please refer them to this Microsoft.com page.)

Anyway, once again, please accept my personal apology for not being able to share more information with you right now. This is an uncomfortable situation for everyone involved, and we hope that Microsoft chooses to give this story a happy ending as soon as possible.

- Robin "roblimo" Miller

Well Said

It is often easier to villify an entire organization and all those associated with it rather than take the time to reason out the inner divisions that most likely exist. Thank you for acknowledging those that are trying to take the empire down from the inside :)

Re:Net Worth of the 'Honchos' is of little concern

[Darchmare]

Look at it this way. What is Microsoft's greatest asset other than its brand? Its people. The engineers who work there.

How does Microsoft keep them there? Stock options, mostly. The pay is decent, but the main draw is a chunk of the company that is always going up.

What happens when the stock is wounded? People leave. As simple as that. There are tons of other companies out there who would love to have Microsoft's talent (and yes, even though they make a lot of shitty products, the engineers are usually not to blame in the end). By wounding their stock price, you deal a blow far greater than a perceived drop in faith in Microsoft's stock.



- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)

All Funny Quotes from the same section...

[Accipiter]

There's one last point about Kerberos that's worth addressing: why did Microsoft bother with it? In previous versions of Windows NT, network authentication was handled by NTLM. Why make a change? How is Kerberos better than NTLM?

There are several answers. First, as you've already seen, Kerberos provides several features that aren't available in NTLM. Delegation and mutual authentication are both available with Kerberos, but neither is possible with NTLM today. Also, Kerberos is typically faster than NTLM, since each NTLM client authentication requires a server to contact a domain controller. In Kerberos, by contrast, a client can supply the same ticket over and over, and the server can use just that ticket to authenticate the user. There's no need for the server to contact a domain controller each time a user needs to be authenticated. And finally, Kerberos is a multivendor standard, so it allows secure interoperability and the potential for single sign-on between the Microsoft world and other vendor environments.

Any way you look it, Kerberos qualifies as progress. It's nice to see this powerful, secure, but long-neglected protocol move into the limelight. After years of languishing in relative obscurity, Kerberos is about to go mainstream.

This is from the above referenced URL at http://www.microsoft.com/msj/defaulttop.asp?page=/ msj/0899/kerberos/kerberostop.htm. Let's take a look, shall we?

Kerberos is a multivendor standard, so it allows secure interoperability and the potential for single sign-on between the Microsoft world and other vendor environments.

Actually, from what I've seen, The Microsoft 'version' of Kerberos doesn't allow interoperability "between" Microsoft and other vendors....it only allows operability from Microsoft OUT to other vendors, and not IN. (This was plugged into their crappy 'enhancements' to Kerberos.)

After years of languishing in relative obscurity, Kerberos is about to go mainstream.

What? There are two points to be made here. 1.) Kerberos was never really in obscurity. It was a widely used protocol, and was CREATED for the purpose of authentication. NTLM was a piece of crap, and Microsoft admits that now. 2.) Because Kerberos is being woven into Windows, THAT makes it mainstream? Oh please, give me a break. What's funny, is that Microsoft states that "Any way you look at it, Kerberos qualifies as progress.", yet their implementation (If you can call it that) takes a step backward by locking out functionality. Progress? Nah...

-- Give him Head? Be a Beacon?

Re:Amazing that Microsoft is STILL trying...

[Black+Parrot]

> I have to admit, I also wonder about the intelligence involved in putting up confidential material on the Web and then getting their knickers in a twist when it's spilled to the masses.

I suspect that, among other motives, MS is hoping to establish a precedent for "clickwrap" to be a valid mechanism for a binding NDA, in addition to being a mere EULA.

--

Semi-dirty tricks to consider

[Ralph+Wiggam]

I know I'm probably not the first person to think of this, but I want to post it anyway:

Even thought Slashdot/Andover is obviously on the side of right here, you may well lose a long and protracted legal battle. Andover IPO money is great, but Microsoft has misplaced more cash than that. Lawyers cost money and good lawyers cost a LOT of money.

My suggestion- kick them in the PR department. MS has been hit with a tsunami of bad press lately with DOJ rulings, security holes, and general bastardness. Reporters would love to follow those stories up with "Microsoft subverts standards and strongarms little guys". What Roblimo and the crew need to do is run to every media outlet that will listen to them. Also, strike while the iron is hot. The top of the list needs to be The Wall Street Journal. If Monday's front page includes a story about this situation, it would be very damaging. If one mutual fund manager reads about this and says to himself "These are the actions of a company grasping at straws to keep themselves on top of an industry" and sells a ton of MSFT, it's going to put a dent into the net worth of every honcho in Redmond.
Bottom line: Roblimo needs to make this into a battle that Microsoft has no interest in continuing.

Keep fighting the good fight.

-B

Copyright *is* a free speech issue

[reptilian]

I apologize if this doesn't sound very coherent, as I'm having a bad day.

With strict copyright laws, congress is indirectly legislating censorship of the people. By strengthening copyright, companies are able to use legal means to censor anyone they wish, be it other companies, competitors, or consumers. While congress wasn't actively attempting to legislate censorship, inadvertantly they have, to the advantage of corporations who it can now be argued are agents of the government.

That last statement might seem a little strange, so bear with me. It is in the best interests of the government for its companies to do well, to strengthen the economy and keep it strong. They are essentially employing the companies to remain profitable, which they do by censoring others using copyright laws.

Anyway, I'm not against intellectual property; what I *AM* against is congress' obsession with 'protecting' the rights of corporations regardless of the consequences on people's rights. I don't have a problem with copyright per se, but excessive protection of intellectual property is in my opinion unconstitutional: laws passed for a purpose that is not censorhip, and inadvertantly cause censorhip, *are* unconstitutional. The courts have ruled this way before. Government mandated "ratings" on speech are a form of censorship, and aren't tolerated, so it shouldn't be much of a stretch to say government delegated protections on property that promote censorhip are too unconstitutional.

Re:Amazing that Microsoft is STILL trying...

[fougasse]

First, we're not dealing with reverse-engineering here. I'm not sure of the legality here, but it certainly should be legal. We're dealing with copying a copyrighted document.

The Kerberos spec includes empty fields for vendor use. Microsoft used one of these fields; they have no obligation to make info on their use of it public. Yes, it's against the spirit of cooperation, but did you honestly think that Microsoft was a believer in cooperation? I don't think that it's a good or smart move by Microsoft, but in comparison it's not all that evil. It's similar to taking BSD-licensed software and releasing a proprietary modified binary of it. Not great, but not satanic.

Anyway, whether or not what Microsoft did is compatible with open-source ideals has nothing to do with reproducing it illegally. If I believe in open source and get my hands on the MS Office source code, I can't distribute the source code openly. Or, conversely, if I believe in closed source, I can't sell binary-only copies of modified GPL software.

What is M$ goal?

[ras]

When I first heard that Microsoft picked a fight with one of the most popular eZines I found it difficult to believe. The timing was odd, to say the least. But I came across two posts; one from The Register, and a slashdot comment then between made it all make sense. This is what The Register said:

"The threat Microsoft perceives isn't from Kerberos itself, but from the progress achieved by the Samba developers. The latest goal for Samba's developers is to replace Windows servers as Primary Domain Controllers capable of serving Windows 2000 clients. Equally, Microsoft wants to make its Windows servers compulsory in a Kerberos environment where Windows 2000 clients are involved, and it sees an opportunity to leverage that client base."

The slashdot comment said that one of original comments singled out by the lawyers could not of possibly violated anything. This is the original comment:

"What happens to the people that implement it (ie. the Samba guys) even if they obtain the information without intentionally breaking the license. Are they exposing themselves to expensive litigation? Are they endangering the project?"

The link between the two comments is Samba. One says Samba is the primary threat. The second ask what effect does all this have on Samba. I don't know, but I would dearly love to find out. My guess is that Microsoft is trying to stop Samba from emulating their version of Kerberos. They already know that it will be reverse engineered - so the question becomes how do you stop it. Simple. Publish the spec and say in your EULA:

"the Specification is provided ... for the sole purpose of reviewing the Specification for security analysis ... Microsoft does not grant you any right to implement this Specification"

Now any attempt at reverse engineering the protocol can be attacked by saying "you did not reverse engineer it - you used our spec which is in the public domain". This would be very difficult (read expensive) to defend. In short it allows them to use the DMCA as a weapon against Samba. Finally, you have to make sure the people at Samba, and indeed any body else who might have plans for reverse engineering it, are aware of what Microsoft has in store for them. This is not a trivial task as Microsoft lawyers don't usually spend their days mingling with free software types. Enter Slashdot. And I think we would all agree Slashdot has done a wonderful job for them so far.

Amazing that Microsoft is STILL trying...

[Tailchaser]

Even after all the hot water the boys in Redmond have been in recently, why do they STILL persist in engaging in various types of manipulation of questionable legality? One would think they would think twice and three times about any moves they would make at this point.

I have to admit, I also wonder about the intelligence involved in putting up confidential material on the Web and then getting their knickers in a twist when it's spilled to the masses. Besides, this is basic 'trade secret' law. If you don't want it on the front page of the Sunday paper, DON'T put it on the Web, encrypted or not! If this was really a 'trade secret' (as opposed to simple 'intellectual property'), then don't they have the responsibility not to hang it out in the wind for all and sundry? Seems to me, they were setting themselves up for this one.

--TC

to all you anti-corp people

[DrEldarion]

... who complained when /. got bought by Andover, this should go to show you that it's not necessarily a bad thing. Had they not been, the resources most likely wouldn't be there to fight MS, and we'd probably have to just give in.

Way to go, guys. Keep fighting this.

-- Dr. Eldarion --
It's not what it is, it's something else.

Even the MS managers aren't eeee-vil

[Trollusk]

As one of those MS employees bothered by my employer's tactics in this whole ugly mess, I just wanted to throw in my two bits on why MS does dumb, heavy-handed stuff like this. It's not (most of the time) our managers who do nasty things like send out cease-and-desist letters or require massive EULAs. It's the lawyers, with their paranoid attitudes about the various kinds of trouble, real and phantom, they see us getting into if this-that-or-the-other loophole isn't closed and sealed up tight. The DOJ trial doesn't help matters: the lawyers can say "look what happened when you didn't listen to us last time!" and as a result, people are reluctant to stand up to the advice from Legal when that advice is along the lines of "you'll be at risk unless you treat this material as proprietary."

As for Kerberos, I don't know the details, but I'd guess it's very unlikely that Gates and Ballmer sat in a room cackling somewhere and decided to make a non-interoperable version. MS is too big and -- gasp -- has too many autonomous units doing their own thing for that image of complete totalitarian control to have all that much truth to it.

Personally, I work for a pretty damn ethical group. Where there are standards or standards drafts, we adhere to them. It's only where there aren't standards already coming along in the pipeline that we go our own way.

Re:Even the MS managers aren't eeee-vil

[Pinball+Wizard]

>> Authentication is such a small, small part of the Windows 2000 Professional/Server relationship. Without Windows 2000 Server and Active Directory, you lose a HUGE amount of corporate managability such as Group Policies and the likes. Simply being able to authenticate to a Linux box is a fairly small bonus.

Actually, I was talking about authenticating from a Linux box. Since Linux is open source, Windows doesn't have any problem authenticating to it. However, there are lots of environments that use Unix servers and Windows desktops, and a Unix server cant use kerberos to provide authentication for accessing files from Win2K desktops.

Don't forget, Linux has LDAP, and that the most widely accepted model for networking is the internet protocols. By insisting on proprietary protocols, rather than participating in the development of standard protocols that every computer company needs to use, they are only continuing to generate bad publicity for themselves, causing more people to turn to Linux, and turning away from the Microsoft platform. Networking is technical, but its also social. Piss enough people off and watch that MS stock contiune to drop.

Don't get me wrong, Microsoft's implementation of Kerberos should allow your scenario to work but I don't think it was done this way explictly to prevent 3rd party authentication mechanisms.

Then why did they release the code in such a way as to prevent Samba from being able to make a workaround? The Samba team would write a workaround in a heartbeat if Microsoft didn't forbid this in their EULA. With this kerberos stunt, they are proving that the DOJ was right and that they really need to have their power limited. Its simply not ethical for MS to take an open source protocol and use it to deny services to open source operating systems.