[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!

To: "Eric Rachner" <eric@xxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!
From: "Memisyazici, Aras" <arasm@xxxxxx>
Date: Tue, 25 Nov 2008 10:51:52 -0500

<snip>
M$ should just bite the incompatibility bullet and turn NTLM off - that's been 
an option for users, theoretically speaking, since about the time Windows 
Kerberos support became mature, and practically speaking, nobody seems to be 
turning NTLM off here in the real world.
</snip>

Err... Have ya' ever attended 'any' sec. conf. in the past 6 years?? If so, 
you'd see recommendation #1 has always been:

*) refuse LM & NTLM, accept NTLMv2 only

Really... It's not that bad...  And in my world it is above along with quite a 
few others. The "industry-std" to locking down Windows has involved the above 
step for years now (O'Reilly books, several respectable authors...)

As I said before, people have moved on long ago since Microsoft's "solutions" 
weren't acceptable at the time. Some made the switch to other OSes, some bought 
soft. to counter-act the effect, some focused on the security-side of things... 
Regardless tho; they moved on! After all these years M$ coming and saying, 
"yeah, btw we fixed this issue" is just... disappointing.


Aras 'Russ' Memisyazici
Systems Administrator
Virginia Tech


-----Original Message-----
From: Eric Rachner <eric@xxxxxxxxxx>
Sent: Tuesday, November 25, 2008 5:26 AM
To: Memisyazici, Aras <arasm@xxxxxx>
Cc: full-disclosure@xxxxxxxxxxxxxxxxx <full-disclosure@xxxxxxxxxxxxxxxxx>; 
bugtraq@xxxxxxxxxxxxxxxxx <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!

Hey, kid -

If you've got any better ideas about how to fix NTLM, the industry is ready & 
waiting to hear them.

The fact is, NTLM is an old & busted protocol that happens to be used 
everywhere, and there's no way to fix it without breaking compatibility with, 
oh, just the entire installed base.  I was happy to see MS08-068 because the 
technique it implements is better than nothing - it offers a nice, clever way 
to reduce the exploitability of the issue without breaking anything important.

Don't bother telling us all how M$ should just bite the incompatibility bullet 
and turn NTLM off - that's been an option for users, theoretically speaking, 
since about the time Windows Kerberos support became mature, and practically 
speaking, nobody seems to be turning NTLM off here in the real world.

- Eric


On Tue, Nov 25, 2008 at 7:44 AM, Memisyazici, Aras <arasm@xxxxxx> wrote:


        <RANT>
        
        <snip:: taken from MSRC Blog: 
http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspx>
        
        What we released today with MS08-068 is that security update. It 
addresses the SMBRelay issue (discovered in 2001) does so in a way that doesn't 
have the negative impact on applications that we originally believed addressing 
this issue would have.
        
        </snip>
        
        So... Hmm... I wonder what would happen if the rest of the world 
followed suit with M$' approach, and took 7 years to "fix" an issue in order to 
"not cause a significant impact"...
        
        Scenario:
        
        Ppl: Hey Ford, if one brute-forces the keyless entry on the door, 
you're car explodes...
        
        Ford: well... I'll offer you three choices, two immediately, and the 
last one 7 yrs later. You can either not use the keyless entry system (we'll 
give you some shiny duck-tape to cover it) or you can use the biometric-knub 
system which requires that you have a knub... So those who have arms & legs 
can't use the system... (btw this will give birth to a whole new industry that 
will allow ppl to pay money for a product that fakes a knub for people with 
appendages) But it's biometric & cool this way! Or you can wait for 7 years and 
we'll release a non-exploding version of the keyless-entry system.
        
        ***************************************
        
        OK... Maybe I'm going a bit extreme, but WTH?! Am I the only one who is 
interpreting this, this way? Really? When has releasing a solution to a problem 
7 years later ever been acceptable?
        
        Jus' sayin' ...
        
        </RANT>
        
        Aras 'Russ' Memisyazici
        Systems Administrator
        Virginia Tech
        _______________________________________________
        Full-Disclosure - We believe in it.
        Charter: http://lists.grok.org.uk/full-disclosure-charter.html
        Hosted and sponsored by Secunia - http://secunia.com/
        


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!
  - From: Charles Morris
- Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!
  - From: Mike C

Prev by Date: Re: [Full-disclosure] n3td3v has been tracked to Slough, UK
Next by Date: Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!
Previous by thread: Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!
Next by thread: Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?!
Index(es):
- Date
- Thread