Microsoft Warms Up to Linux

prostoalex writes "InfoWorld reports that despite warming to the OS, Microsoft won't be releasing its own distribution of Linux any time soon. From the article: "Hilf acknowledged that Microsoft's commitment to Windows does not preclude the company from continuing a strategy he has led in his 19 months at the software vendor: To see how Microsoft's proprietary technologies can better interoperate with Linux and a host of other open-source software. In fact, that is exactly what will be the focus of a discussion the long-time open-source proponent will lead at this year's upcoming Linuxworld Conference & Expo next month in San Francisco. In a session entitled, 'Managing Linux in a Mixed Environment ... at Microsoft?' Hilf, who polished his open-source evangelism skills working on Linux deployments at IBM Corp., will talk about how he and the team at the Linux/Open Source lab run open source technologies in "the most Microsoft-centric IT environment on the planet." "

Re:Maybe we could get a usable desktop?

[ryants]

$ uname -s -r -v -m -p -o
Linux 2.6.11-6mdksmp #1 SMP Tue Mar 22 15:40:42 CET 2005 i686 Pentium III (Coppermine) GNU/Linux

$ cat /proc/driver/nvidia/cards/0
Model: GeForce 6200
IRQ: 5
Video BIOS: 05.44.a2.03.51
Card Type: AGP

$ uptime
08:10:44 up 27 days, 10:28, 1 user, load average: 0.05, 0.17, 0.24

27 days ago there was a power outage.

Yes, I occasionally "work the video card hard" doing some of my own OpenGL work, plus a little Enemy Territory now and then.

Since you claimed "every desktop" and "every video card", your argument is thus refuted.

Re:You are wrong.

[Cerebus]

Interestingly, doing what MS did in the way they did introduces a weakness in Kerberos.

The MSKDC populates the authorization-data in the ticket-granting ticket (TGT). This is copied into the TGS-REQ when a service ticket is requested, and then is copied from the request into the service ticket. Services make authorization decisions based on the group data in the service ticket.

According to Microsoft, this is an optimization issue. Enumerating group membership is relatively expensive, especially with nested groups, so MS chose to do it only once per login session, i.e. when the TGT is requested.

But what this means is if a user's group membership is changed while during the lifetime of a TGT (10 hours by default), the changes don't take effect until the user gets a new TGT.

Now, in an MS-only environment, you can mitigate this by using forced logoff. Basically, the administrator tells the workstation to discard the user's TGT, and the user is forced to get a new one, with new his new group enumeration.

But you can't do this to any other Kerberos implementation--like MIT Kerberos on Linux or Mac OS X. So if a mole logs in to his Linux box and gets a TGT from your domain at 0800 and starts using his privileges to wreak havoc, there's nothing you can do (other than physically disconnect him) until his TGT lifetime runs out 10 hours later.

Sucks to be you that day, doesn't it?

Admittedly this isn't a very likely scenario, but it does illustrate the point that mucking with security protocols at random like this can have non-intuitive effects.