Slashdot Mirror
Kerberos Loophole May Be Closed/Apple Getting Kerberos
Paul Boutin writes "The Industry Standard talked to Kerberos' principal author and all-around ubergeek Clifford Neuman about his proposed rewrite of the IETF Kerberos standard (RFC 1510) to close the loophole Microsoft has been using to create a non-interoperable version. " It also looks like Apple will be bringing Kerberos to OSX, in partnership with MIT.
Does anyone else see a similarity between this and the RIAA/mp3 war? In each case, you have an entrenched old-school industry trying to use stale tactics (lawsuits, etc.) to shut down the subversive new-school methods. In both cases, even though their might is formidible, it seems obvious to me that their doomed in the long run. They don't "get it" because they're so stuck in their traditional thought prices^H^H^H^H^H^H processes.
You know what kinda scares me? That Microsoft or the RIAA will "get it." Let me paint you a picture:
MS Linux: Microsoft produces their own distro.
No, not their old "embrace and extend" strategy. In this scenario, Darth Bill repents and returns to the good side of the Source. Microsoft mines their proprietary code and programmers skills and begin a truly killer development cycle. They were already leaning towards "rentable apps." Selling the service for their own distro would be pretty similar.
Think about it. They have the dinero and organizational structure to make serious progress on the areas that many "community" distros are struggling with (GUI for lusers, etc). They're experts at making things look attractive to customers. Red Hat has a few years on them, but once Microsoft got up to speed, they could quickly catch up. They could leverage their vendor relationships and brand name ("Your customers want Linux? We can give you MS Linux!").
I know it's hard to avoid thinking that this would just be a ploy and MS would pull a bait-and-switch later, but I'm afraid that they wouldn't. If they can remake their corporate image at the same time by "playing nice," the may not be doomed as we might hope.
I'm not pro-MS. I'm not flamebait-ing. I'm 95% sure that MS is too stuck in their mindset to ever go this route, but I can't help but wonder about the possibility.
Damon
Work as if you don't need the money,
Love as if you've never been hurt, and
Dance as if no one's watching.
So, rather than appear foolish afterward, I renounce seeming clever now.
Probably most of you are old enough to remember thefall of cuommunism...how the monolithic beast that was the bogey man of the 2nd half of the 20th century fell in a week (or so it seems). Once one country rebelled, everyone saw that there was nothing behind communism and it fell in a week.
As long as Slashdot continues to stand up to Micro$oft, it will enable everyone to stand up to them. So keep up with it.
Hopefully I didn't put any [] around my words.
This would actually be a very bad idea. Regardless of whether or not Microsoft's claims of trade secret protection actually hold any water, their lawyers will happily continue to act as though they do. The result of this is that, if the Samba team went and implemented the PAC field using Microsoft's spec, they would be immediately sued for trade secret violation. The result: no updates to Samba for the next couple of years as all of their resources are sucked dry by MSFT's legal team.
In fact, even if they implemented the field through good old reverse engineering now, they'd still be in danger. Since the spec has been so widely distributed, if MSFT pressed a suit, the burden of proof would be on the Samba team's lawyers to either prove that the trade secret status was no longer applicable, or else prove that none of their programmers has been "tainted" by the spec.
It's been suggested before that MSFT actually released the spec in this way specifically to ensure that the Samba team would be unable to implement full interoperability. I certainly wouldn't put it past them.
Quantum mechanics: the dreams that stuff is made of.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you do, please use contraceptives. The last thing we need right now are a bunch of baby bastard Microsofts.
'Scuse me, I am not a programmer and so understand very little behind the inner workings of most protocols.
Question: Why couldn't the maintainer's of the Kerebos spec, along with the OSS community be bastardly, and implement a different authentication protocol within the undefined bit? To me, it seems doing so would break MS's propietary version and place them in a situation where they must either drop their own, propietary extension, or lock access to only Microsoft products.
am I making sense at all or am I in error?
----
----
Am I the only one who thinks Microsoft is a misnomer? Perhaps Macrosoft would be a better fit?
The fact that it's specifically stated that they're working with MIT to develop this strongly implies that it'll be about as standard as it gets.
Well, no. See, the common use of Kerberos (and the original standard) is for authentication only -- knowing that you're you. MS, in order to let you use their services, is asking the question "Ok, you're you, but what can you do?". They're embedding the answer (your ACL) in the Kerberos header, but that means that you can't use any other Kerberos servers to talk to a MS box, since none of them can generate that info in the first place. A "proper" implementation would issue a ticket from the MS data server with the ACLs embedded, or better yet handle it as a separate datum, rather than forcing you to use an MS Keyserver.
No, actually it's not. It walks like Kerberos, but it doesn't quack like Kerberos. It permits Kerberos clients to authenticate using a Microsoft KDC, but it does not permit use of Microsoft services if you use another KDC. If it were Kerberos, it would.
DCE Kerberos is not interoperable with MIT's implementation. I don't see anyone screaming about that.
True. however, DCE is an open protocol, with full specs and source available for unrestricted download.
Finkployd
This looks like a perfect example of "embrace and extend" turned around on Microsoft. Looks like the IETF has decided to embrace the unused data field, and extend it in a "different" direction.
This is much sweeter than simply trying to get Microsoft for using the Kerberos name when their clients won't work with a server compliant to the published standard.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Okay, I admit I'm not a Kerberos expert, but I've looking into this issue some, and it appears to me that everyone is up in arms for all the wrong reasons.
As I understand it: Microsoft took a field in Kerberos marked for "vendor-specific data" and used it for -- get ready for this -- vendor-specific data. (If that is wrong, please feel free to correct me.)
So there is nothing wrong with Microsoft's Kerberos implementation. Getting mad at them for that is incorrect.
However, Microsoft has done some things worth getting mad about: First, the vendor-specific data is in a closed, proprietary format, designed to lock-out non-Microsoft implementations; and second, they've threatened Slashdot for what are (IMO) silly reasons (the exact merits of their case have been debated to death elsewhere; let's not repeat all that here).
We should be after MSFT to open up their protocols and compete fairly, and not after them for using a field in Kerberos for what it is designed for.
dragonhawk@iname.microsoft.com
I do not like Microsoft. Remove them from my email address.
Of all the ubergeeks, I would not have believed one to do AllAdvantage. Sheesh. See for yourself: http://home1.gte.net/bcn/recommendations/free.htm And the very link to (don't click): http://www.alladvantage.com/go.asp?refid=DJC-598 Would an ubergeek do AllAdvantage and try to take an opportunity to make money and refer herself, even though s/he is most likely to have enough money already....... No! Clifford Neuman, I pity you.
http://www.goat^H^H^H^Hmslinux.org
Will I retire or break 10K?
---
Why treat Microsoft differently than everyone else? (aside from the obvious)
---
Erm, because of the obvious...
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
When establishing a new standard, trademark the name. This can be perfectly compliant with OSS.
Write a 'nominal fee' ($1) license for Kerberos (tm) and "Kerberoid"(tm) (or some other word that describes Kerberos compatibility), and explicit terms under which the license is automatically issued upon receipt of payment. Then give the Trademark to EFF (or IETF - thought IETF is less likely to enforce, and may move more slowly on changes)
It is not to late to trademark Kerberos, since the originator has clear a clear history of title and trade use on this trade name for this "product".
If one requirement for licensing is 'interoperability' with a reference standard, then MSFT Kerberos becomes a litigable violation. A clever lawyer may find a way to make 'Kerberos compatible' a violation, though it would not be straightforward.
_____________
If you can go to bed, knowing you did a valuable thing today, you're very lucky. If you can't... it's not bedtime
The program refused to build the helpfile. It complained that the RTF was invalid.
Thinking that this was odd, I went to Microsoft Word 97, wrote the file there, saved it as RTF, and tried this brand new file in the same Microsoft-produced helpfile creator.
AGAIN the program complained that the RTF was invalid.
So I moved to my Linux box, fired up Applix 4.3.7, typed in the file, saved it as RTF, moved it to the Windows box, and tried again -- this time with an RTF file produced in a NON-Microsoft product.
The helpfile built without a single complaint!
DFL
Never send a human to do a machine's job.
---
:>
I suspect however your brain is playing a small trick on you...
Swapping out Apple and replacing it with Mac.
---
Nope. Slashdot changed it (well, at least they're responsive!).
---
Just wouldn't want you going around correcting people for a mistake they did not make... could be very embaressing
---
BTW, you misspelled emb... *SMACK!*
Nevermind.
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
Of course, the first question that comes to mind is: how is this going to influence the recent legal actions Microsoft pulled against /.
The second is, why is the IETF not in control of Kerberos completely, how could it happen that Microsoft made proprietary extension to the protocol?
Sigged!
MSFT Kerberos: a true bait-and-switch.
-- @rjamestaylor on Ello
I can only think of two API's, or specs, if you will, that microsoft has found reason to make non-interopable
Java, and this -
Are there more examples of protocols, specifications, API's, whatever, that had standards for interoperability, but the Windows or Microsoft implementation fails to meet them ?
Not that I doubt there are, I've just never really looked into it.
"Kerberos Loophole May Close around Microsoft's Neck"
:)
heh
Something tells me the bias may be on our side this time, folks
Aren't you dead?
According to the article, Microsoft said, "It's not about free speech. We're not asking for people's comments to be pulled down." EXCUSE ME??? That's exactly what they were asking in their letter to Slashdot. Fuck Microsoft.
-Nathan Whitehead
This is just more non-information, the same as the non-information that is continuously posted about HP OpenMail.
The client and the server REQUIRE that LDAP and or POP3 be open! This requires the Admins to be willing to support Linux and other open systems.
The exchange protocol is illegal to write against. Any company that tries to make a linux client that works with the exchange protocol will get sued into the ground.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Microsoft is wholly dependent on the authors of Kerberos. They need to be able to claim interoperability and that they are on the cutting edge, but depend on the sanction of their victims. I think its excellent that the authors of the Kerberos spec are withdrawing that permission - in a sense reminding Micros~1: "Kerberos is MINE, and I'm LETTING you use it".
I want to delete my account but Slashdot doesn't allow it.
Kerberos is about security. The IETF can make analyses and determinations about the security of its standard protocols. If the Microsoft implementation of the extension does not cooperate to work toward necessary security in Kerberos, IETF (and MIT) are right to point this out and route around it.
Microsoft started this discussion by publishing the document on the web. Now it has to live with the consequences.
As far as the relevance to the Slashdot case goes, I suppose you noted the hints that the implementation for the extension is not original, since it was already presented on the Kerberos mailing list by another?
A long time ago, Apple had an alliance with Netscape (then still a stellarly successful browser company). Then MS invested $100m in Apple, and consequently Apple dropped Netscape and standardised on MSIE.
Now that Apple are adopting Kerberos, what's to say that it will not be proprietary Microsoft Kerberos? If MS could get Apple to support their fork of Kerberos, it'd make it more likely to win the standards battle. (And official standards mean little in the fast-moving IT game; witness what happened to HTML 3.0.)
When a specification is updated, a new RFC is posted. If a new RFC was written for Kerberos v6 (or whatever Clifford Neuman wants to call it), Microsoft could still (rightfully) claim full compliance with the original Kerberos specification (RFC 1510).
My personal take on this is that it's sour grapes. It appears to me that the other commercial Kerberos implementations are not fully compatible with MIT v5 either, and probably for the same or similar reasons, and where's the righteous indignation about those?
CyberSafe's TrustBroker (Acrobat Reader needed) indicates in it's FAQ that it's compatible "at the protocol layer", and strongly implies that there are interoperability problems or limitations.
DCE Kerberos is not interoperable with MIT's implementation. I don't see anyone screaming about that.
I'd like to see a reasonable discourse on this issue, without all the "Evil Micro$oft" rhetoric. Should standards all be written in such a way that no one is free to innovate?
Here's a side note. Regardless of what OS you use, don't you advocate the spread of Kerberos as an authentication protocol standard? If so, you should probably be grateful. I'll bet more computers have been running Kerberos since February than have ever run it before.
People aren't even seeing the more serious issue here. If Microsoft implements these so-called Kerberos extensions, reverse engineering them is not what we want to be doing (regardless of legality).
Getting the IETF to make the standard more rigid is a better course of action. It forces Microsoft to adhere to certain rules if they want to claim Kerberos interoperability.
If we start the reverse engineering game with Microsoft, they will have achieved their goal -- defacto control of the Kerberos standard. They will have the ability to modify their extensions at will, thus forcing anyone who requires interoperability (e.g. Samba) to scramble to catch up.
Once Microsoft has you playing catch-up, you're right where they want you. See Netscape for details.
Best regards,
SEAL
Of course some of us aren't all that happy when we see interoperability suffering, no matter who the culprit is. But when Microsoft does something like this, everyone becomes very wary, because they've shown they have the market clout and the disposition to try to force their stuff down everyone's throat. Sortof the difference between anyone worrying about lil' ol' ME buying a gun, vs. a violent criminal.
Tweet, tweet.
It does MSFT no good to say they comply with the old version of Kerberos if everyone moves on to a non-extend-and-embrace version. Noone will buy it then.
Will in Seattle
For a moment, I was thinking of that other loophole in Kerberos...
-------
Warning: Slashdot may contain traces of nuts.
It's pretty ironic that in this article dealing with Microsoft's Kerberos implementation, you're blaming Microsoft for their browser correctly interpreting the W3C's HTML 4.01 spec, by which </ a> isn't valid HTML. Now why do I get the feeling that if IE5 worked with this invalid HTML, you'd be moaning and crying about Microsoft embracing and extending the HTML standard? Hmmm?
Just like Microsoft's Kerberos implementation adheres to the IETF Kerberos standard, so does IE5 adhere to the HTML standard in the example you mentioned above. What part of "standards" do you guys not understand? Looks like they're always a good thing except when Microsoft follows them.
Cheers,
ZicoKnows@hotmail.com
"You know, you use that word a lot, but I don't think it means what you think it means ..."
How about forcing people to make innovative *standards* that others can use and prosper from just as easily as you can? That is, after all, how the Internet came about. TCP/IP was very innovative, POP3/SMTP/HTTP/DNS too, Unix socket i/o, and yes, even Linux are all very innovative products. They're also very pervasive products as well, although this has as much to do with the fact that it's an *open innovation* than it does with the innovative nature of it...
Micrsoft and its cronies love to use this 'innovate' word, but I don't think it means what they think it means. Maybe they're using MS Dictionary 1.0, I dunno.
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Okay, I'll see your touché and raise you a c'est bon. I don't disagree with you about why some people are perturbed, it's just tiring to see so many people continue to misunderstand the fact that their Kerberos implementation is compliant. As to the current article, it surprises me that when writing a vendor-specific field, MIT wouldn't expect some companies to use that field to create implementations that were only operable between that single vendor's products. To me, the current complaints sound like a knee-jerk anti-Microsoft reaction.
Cheers,
ZicoKnows@hotmail.com
Neither does it display right in Netscape 4.72 under NT4. But it displays correctly in my sentimental favorite of all browsers, Lynx.
Yours WDK - WKiernan@concentric.net
It's not a knee-jerk anti-Microsoft reaction, this outcry over Microsoft's latest standards-smashing scam is well-founded. The whole idea of Kerberos was to have a publicly-documented, platform-independent authentication scheme, and Microsoft deliberately broke it. To make matters worse, they pull this disgusting legal razzmatazz with their EULA-protected "trade secrets," to forestall legitimate reverse engineering.
Cheat, cheat, cheat, and even in the midst of their antitrust suit they never stop - the Sid Vicious of software vendors. God knows, "business ethics" is something of an oxymoron, but even amidst the low, swinish company of capitalist businesses in general, Microsoft stands out; that damned gang is just plain pathological.
OK, you could say that "any company in their position in a capitalist market system would act as they do," and I suspect you'd be right - but that is only an indictment of capitalism in general.
Yours WDK - WKiernan@concentric.net
---
:>
It also looks like Mac will be bringing Kerberos to OSX, in partnership with MIT.
---
Mac? Who is Mac?
By chance do you mean Apple?
No offense, but you PC guys always get that wrong. It's as bad as saying that a given OS was written by "Linux Torvalds".
- Jeff A. Campbell
- VelociNews (http://www.velocinews.com)
- Jeff
In a way, I hope that developers DON'T come out with a patch that makes "standard" kerberos capable of talking to MS Kerberos.
Why? Because this would be tantamount to accepting the Microsoft extensions, and making the standard needlessly more complicated to support. Why should MS be allowed to have a different implementation than everyone else? Why should people who want to use Kerberos in heterogenous environments be forced to deal with 2 separate interfaces?
No, I think that I would prefer to see the rest of the world adapt the new standard, and snub the MS version completely. That would be a great test of whether MS really does have monopoly power over the industry; we could just see who gave in. If it's a case of "The rest of the world" vs. "Microsoft", and the world loses...then there is definitely still a problem, and that means that MS can still do whatever they want, unchecked, and unfettered by what is good or preferable for the populance.
WMBC freeform/independent online radio.