Microsoft Warms Up to Linux

prostoalex writes "InfoWorld reports that despite warming to the OS, Microsoft won't be releasing its own distribution of Linux any time soon. From the article: "Hilf acknowledged that Microsoft's commitment to Windows does not preclude the company from continuing a strategy he has led in his 19 months at the software vendor: To see how Microsoft's proprietary technologies can better interoperate with Linux and a host of other open-source software. In fact, that is exactly what will be the focus of a discussion the long-time open-source proponent will lead at this year's upcoming Linuxworld Conference & Expo next month in San Francisco. In a session entitled, 'Managing Linux in a Mixed Environment ... at Microsoft?' Hilf, who polished his open-source evangelism skills working on Linux deployments at IBM Corp., will talk about how he and the team at the Linux/Open Source lab run open source technologies in "the most Microsoft-centric IT environment on the planet." "

Quick!

[ucahg]

Somebody prove this wrong. Microsoft can't like Linux, it must all be talk, right? *head explodes*

Re:Quick!

[AKAImBatman]

It's just the same Embrace and Extend tactics that Microsoft has always used. When Windows 2000 came out, Microsoft promised perfect Unix interoperability. Of course, they subtly changed the Kerberos protocol and several other protocols to favor Microsoft's OS in the domain controller position, allowing them to later push Unix as legacy stuff Microsoft is helping you get rid of.

The fun part is that I asked a Microsoft rep about the Kerberos problem and he lied to my face.

You've heard of "If you can't beat 'em, join 'em?"
For Microsoft it's, "If you can't beat 'em, pretend to join 'em, then stab them in the back when they're not looking."

Re:Quick!

[AKAImBatman]

Are you sure he wasn't just plain ignorant (representatives tend to be)?

Quite possibly. But he was one of those training-a-roomful-of-people-on-the-advantages-of- Win2K guys. Microsoft played him off as an engineer type who knew the system. When he got to the training on Kerberos, I got up and asked him point-blank about it only working one way. He told me that Windows 2000 would absolutely work with a Unix Kerberos Domain controller. I pressed him on it and he insisted. I let it go, but it proved to me that the reps will either run with misinformation or outright lie if they feel it will help their case.

A very amusing example of this was the incident where a rep argued with David Korn on Microsoft's version of the Korn Shell. I'll bet Mr. Sullivan felt a bit sheepish after that. ;-)

Warms up?

[Magada]

You know what they say ... if you can't beat them ... embrace and extend.

Re:Warms up?

[NotFamous]

It's actually three E's:

• Embrace
• Extend
• Extinguish

Microsoft will eventually distribute Linux.

[base3]

They'll have to provide a version of Linux signed with the endorsement key for the Palladium/TCPA/NGCSB platform so they can pretend that it's not about DRM and vendor lock-in.

Old saying

[suso]

Keep your enemies closer?

Re:Old saying

[sgant]

Today in Seattle Washington, Linus Torvalds, Bill Gates and Steve Jobs announced they are all getting an apartment together, each sharing 1/3 of the rent. They say they're just really good friends when asked why they were doing this, while all 3 smiled uncomfortably.

When asked if Oracle CEO Larry Ellison would also be moving in, the 3 software giants just looked at each other and busted out laughing.

Re:Old saying

[Profane+MuthaFucka]

Just a warning to my fellow geeks: that old saying should NOT be taken as a valid justification for marriage.

It's like gravity

[A+beautiful+mind]

The big planet-sized MS is starting to feel the Linux moon's effects. Oh wait, that's no moon!

Iinteroperation with Linux ?

[tpgp]

a strategy...to see how Microsoft's proprietary technologies can better interoperate with Linux and a host of other open-source software.

If Microsoft wants better interoperation with linux, they do not need to create a Linux/Open Source lab to ïnvestigate interoperability.

All they need to do is release specifications or source-available implementations of their network protocols and file formats.

Is this really so hard to understand?

Re:Iinteroperation with Linux ?

[thisissilly]

You do not understand the MicroSoft definition of "interoperate":

"Making sure you cannot talk to us without giving us per-client money."

Re:Maybe we could get a usable desktop?

[ryants]

$ uname -s -r -v -m -p -o
Linux 2.6.11-6mdksmp #1 SMP Tue Mar 22 15:40:42 CET 2005 i686 Pentium III (Coppermine) GNU/Linux

$ cat /proc/driver/nvidia/cards/0
Model: GeForce 6200
IRQ: 5
Video BIOS: 05.44.a2.03.51
Card Type: AGP

$ uptime
08:10:44 up 27 days, 10:28, 1 user, load average: 0.05, 0.17, 0.24

27 days ago there was a power outage.

Yes, I occasionally "work the video card hard" doing some of my own OpenGL work, plus a little Enemy Territory now and then.

Since you claimed "every desktop" and "every video card", your argument is thus refuted.

Babelfish translation

[tod_miller]

To see how Microsoft's proprietary technologies can better interoperate with Linux and a host of other open-source software.

Find ways of maximising the effect of all this money spent on brute forcing patents into the EU. Find ways that Linux is interoperable and quash them.

Hilf (wasn't this the nick name for Adolf?) is an open source evangelist, from IBM, working at Microsoft... erm... whats that Master Yoda? You sense great fear and anger in this one yes hmmmm? *cough*dark side*cough*

In fact, he boasted in rather geeky fashion that he has attended every single Linuxworld in the U.S. since the show was first held in 1999. "I should get some kind of medal for that," Hilf joked.

Yeah, one that says 'in medical emergencies call this number ### #######'. Mentalist.

"Microsoft has now gotten to a point that they're accepting the fact that there's enough Linux in their customer environments that they need to interoperate with Linux in the same way they interoperated with Unix in the past," Goulde said.

Erm - don't drop us yet, we are compatible with Linux!

Microsoft Windows ShortNose 2017: A Linux compatible operating system with FREE smileys!

"The attitude is more, 'Tell me more about this,' versus, 'God, don't touch this, it's going to explode if we look at it.' Polarization is starting to be less and less."

Yes, because open source is explosive... like those bomb terrorists use!! MSNBC.com:

Linux Officially a New Terrorist Threat!

This is all just a curtain of distraction while Microsoft rape the EU to get patents, and then land linux in a nice vat of steaming 'Yes we love linux, and interoperability, which is why they can license these 1838390 patents if they want to continue breathing!'.

the battle for management is just warming up

[rapiddescent]

I think the Microsoft understand that the battle of the OS is not where the real money is - the real money spinner is beating HP OpenView in the server/desktop management space and also owning the signing-in credentials (Active Directory) - these two things are FAR more important than old wars against Linux and open source. They know that Linux boxes are always going to be in the enterprise so they've thought up a strategy to make sure that they are within the MS management pool. A caring & sharing attitude will also fix some of the perception of arrogance that MS have with the Office of Government Commerce in the UK and similar procurement organisations outside the USA.

for example: In most places I've been to, the customer has MS Active Directory in place. (I'm an enterprise TA specialising in Linux). That makes MS in a very strong position to be first choice for single sign on content management systems, document management platform and also system monitoring & management. The usual BS I hear is that AD makes it easier for the helpdesk to manage users and groups and so on.

MS have been quietly making big investments in enterprise management. remember SCO, how could you forget!, there was one product that SCO sold off to a management buy-out and was rumoured to have been heavily funded by MS - this is Vintela. Vintela sells a single sign on solution for multiple OS (including Linux) that will allow Linux users to sign in as AD citizens into Linux and be managed just like the MS users.

Another example is the new drive for MOM. MOM is essentially where HP Openview was some years ago. HP OpenView has never got the pervasive coverage in organisations because it costs a bloody fortune and HP have been too stupid to commodotise the HPOV server infrastructure into something cheaper. Also, having an enterprise OpenView system takes manpower to setup correctly. The result is a catch 22 - the companies that actually need it; don't have spare manpower - hence the reason they need an enterprise monitoring/management suite! MS MOM is a big step in the direction of Windows simple click (and break!) user interface that is convincing to management who will sign off procurement decisions. The MOM interface is surprisingly better than HPOV - plus MOM will also support Linux and Solaris boxes in the enterprise. I don't think it will be long before MS provides management hooks for JBoss, MySQL, Apache etc into MOM.

By entering the enterprise market like this; MS is targetting products at the areas that control the whole strategy or an organisation: authentication/authorisation and systems management. It is a way of taking control and ensuring that any Linux/otherNix server has MS branding on it because that's how it is looked after...

essentially; Microsoft *have* to include Linux in their plans for their big step into Enterprise domination - Linux is actually helping them in a way because the rapid growth of Linux servers has forced them to consider enterprise platforms that they have not really been competing against in the past.

rd

Re:A likely story...

[DrXym]

Why else do you think they've hired four Gentoo people over the past six months?

To work shifts to watch over the build they started at the same time?

You are wrong.

[mcc]

I am not personally familiar with Kerberos. However, I know how to read documentation. So let's look at the Kerberos spec, shall we? Any emphasis below is mine.

The client prepares the KRB_TGS_REQ message, providing an authentication header as an element of the
padata field, and including the same fields as used in the KRB_AS_REQ message along with several optional fields: the enc-authorization-
data field for application server use and additional tickets required by some options.

And then later on, multiple things to the effect of:

authorization-data[10] AuthorizationData OPTIONAL

The "data authorizaton" you refer to is-- by the spec-- clearly referred to as "optional" every time it comes up. This means that spec implementors are under no obligation to observe its contents. Now, if you go and look up the original problems with the MS Kerberos extension:

From discussions with Microsoft, which were not under an NDA, the situation appeared to be as follows circa October, 1997. This information comes from the USENIX publication ;Login.

NT 5.0 will indeed use Kerberos. However, the protocol has been "extended" by Microsoft, by adding a digitally signed Privilege Attribute Certificate (PAC) to the Kerberos ticket. The PAC will contain information about the user's 128-bit NT unique id, as well as a list of groups to which the user belongs.

The NT PAC is unfortunately not compatible with the PAC's used by the Open Software Foundation's Distributed Computing Environment (DCE). It is also somewhat debatable whether the NT PAC is legal with respect to RFC-1510, the IETF Kerberos V5 protocol specification. The original intent of RFC-1510 prohibited what Microsoft was trying to do, but Microsoft found what they claimed to be a loophole in RFC-1510 specification.

Many folks, including Paul Hill and Ted T'so at MIT, as well as Cliff Neumann at ISI, have tried to work with Microsoft to find a more compatible way of doing what they wanted to do. To that end, we made changes in the upcoming revision of RFC-1510 to add a clean and compatible way of adding extensions such as Microsoft's PAC to the Kerberos ticket.

To Microsoft's credit, they agreed to change NT 5.0 to use a cleaner and more compatible way of adding extensions to the Kerberos V5 ticket ... [snip]

RFC 1510 specifies that the encrypted part of a ticket may include an optional AuthorizationData field. If the authorization-data are present, they are decrypted using the sub-session key from the authenticator. ... [specified encoding of authorization-data field follows]

Microsoft has not fully disclosed their use of the authorization data field. However some information is public knowledge at this time.... [partial, reverse-engineered microsoft encoding of authorization-data field follows]

So what we are left with is this. The Microsoft kerberos extensions took a field clearly marked in the spec as "optional" and made it non-optional, while other implementations took the optional field and ignored it. Ignoring an optional field would be a correct implementation of the specification; requiring it would not. Meanwhile by the information above, the data Microsoft carried in the field is not only seemingly not the proper encoding of the AuthorizationData field given by the spec, but contains information which was not only outside the scope of the spec, but arbitrarily defined by microsoft and then NOT PUBLICLY DOCUMENTED. Microsoft claims a "loophole" not specified justifies this, but if you use a "loophole" to add information to a protocol which breaks compatibility with existing implementations you cannot possibly blame anyone but yourself for this.

It would appear you either are misinformed or trying to mislead us.

Re:You are wrong.

[Cerebus]

Interestingly, doing what MS did in the way they did introduces a weakness in Kerberos.

The MSKDC populates the authorization-data in the ticket-granting ticket (TGT). This is copied into the TGS-REQ when a service ticket is requested, and then is copied from the request into the service ticket. Services make authorization decisions based on the group data in the service ticket.

According to Microsoft, this is an optimization issue. Enumerating group membership is relatively expensive, especially with nested groups, so MS chose to do it only once per login session, i.e. when the TGT is requested.

But what this means is if a user's group membership is changed while during the lifetime of a TGT (10 hours by default), the changes don't take effect until the user gets a new TGT.

Now, in an MS-only environment, you can mitigate this by using forced logoff. Basically, the administrator tells the workstation to discard the user's TGT, and the user is forced to get a new one, with new his new group enumeration.

But you can't do this to any other Kerberos implementation--like MIT Kerberos on Linux or Mac OS X. So if a mole logs in to his Linux box and gets a TGT from your domain at 0800 and starts using his privileges to wreak havoc, there's nothing you can do (other than physically disconnect him) until his TGT lifetime runs out 10 hours later.

Sucks to be you that day, doesn't it?

Admittedly this isn't a very likely scenario, but it does illustrate the point that mucking with security protocols at random like this can have non-intuitive effects.