Full Disclosure mailing list archives
Re: Microsoft takes 7 years to 'solve' a problem?!
From: "Eric Rachner" <eric () rachner us>
Date: Thu, 27 Nov 2008 07:20:05 -0800
I'd say that the DNS TID problem was a much more solvable problem than the problem Microsoft has with NTLM: At least with the TID issue, a fix was identified that did not break interoperability with legacy systems. No such luck with NTLM. Since the only "fix" identified so far is completely disabling a protocol that's universally deployed, I'd say that just about pegs the PITA-meter. - Eric -----Original Message----- From: Elazar Broad [mailto:elazar () hushmail com] Sent: Tuesday, November 25, 2008 11:59 PM To: arasm () vt edu; eric () rachner us Cc: full-disclosure () lists grok org uk; bugtraq () securityfocus com Subject: Re: [Full-disclosure] Microsoft takes 7 years to 'solve' a problem?! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Um, NTLM isn't the only 20 or so year old protocol to take the rap recently, I can think of a low numbered rfc, lets say 1034 and 1035. Hindsight is 20/20, and 20 years ago, who would have thought that a 16 bit number was way too small for DNS transaction id, the same "who would have though" goes for NTLM and the rest. Lets face it, protocol design bugs suck, and to completely replace a widely used protocol ranks pretty high in the PiTA hall of fame... On Tue, 25 Nov 2008 05:25:57 -0500 Eric Rachner <eric () rachner us> wrote:
Hey, kid - If you've got any better ideas about how to fix NTLM, the industry is ready & waiting to hear them. The fact is, NTLM is an old & busted protocol that happens to be used * everywhere*, and there's no way to fix it without breaking compatibility with, oh, just the entire installed base. I was happy to see MS08- 068 because the technique it implements is better than nothing - it offers a nice, clever way to reduce the exploitability of the issue without breaking anything important. Don't bother telling us all how M$ should just bite the incompatibility bullet and turn NTLM off - that's been an option for users, theoretically speaking, since about the time Windows Kerberos support became mature, and practically speaking, nobody seems to be turning NTLM off here in the real world. - Eric On Tue, Nov 25, 2008 at 7:44 AM, Memisyazici, Aras <arasm () vt edu> wrote:<RANT> <snip:: taken from MSRC Blog: http://blogs.technet.com/msrc/archive/2008/11/11/ms08-068-and-smbrelay.aspxWhat we released today with MS08-068 is that security update. Itaddressesthe SMBRelay issue (discovered in 2001) does so in a way thatdoesn't havethe negative impact on applications that we originally believedaddressingthis issue would have. </snip> So... Hmm... I wonder what would happen if the rest of the worldfollowedsuit with M$' approach, and took 7 years to "fix" an issue inorder to "notcause a significant impact"... Scenario: Ppl: Hey Ford, if one brute-forces the keyless entry on thedoor, you'recar explodes... Ford: well... I'll offer you three choices, two immediately, andthe lastone 7 yrs later. You can either not use the keyless entry system(we'll giveyou some shiny duck-tape to cover it) or you can use thebiometric-knubsystem which requires that you have a knub... So those who havearms & legscan't use the system... (btw this will give birth to a whole newindustrythat will allow ppl to pay money for a product that fakes a knubfor peoplewith appendages) But it's biometric & cool this way! Or you canwait for 7years and we'll release a non-exploding version of the keyless-entry system.*************************************** OK... Maybe I'm going a bit extreme, but WTH?! Am I the only onewho isinterpreting this, this way? Really? When has releasing asolution to aproblem 7 years later ever been acceptable? Jus' sayin' ... </RANT> Aras 'Russ' Memisyazici Systems Administrator Virginia Tech _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkktAd8ACgkQi04xwClgpZhz/wP/XksVY9PcYZ9Rs5iDMAkw7qa/2FIw UsdD78zHzH5JuFTl0gTozNBRJwWZfxdp3frDjtKAIUl6qVvhd2Kv/lOzVU70mNm/4VlM tC+YqiYMVuMC0flaUwYOxOwfcxaXE+YBWWxMvM7DgNayVqiAwhrsyPNQLv3dAc6jaXtC rvGdXhI= =8pzj -----END PGP SIGNATURE----- -- Earn more money. Click here to be certified as a personal trainer. http://tagline.hushmail.com/fc/PnY6qxuDvSM8g0rMP8MYY39fxdedfaeIAefWGHzD14thA8Zv41cU1/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Microsoft takes 7 years to 'solve' a problem?!, (continued)
- Re: Microsoft takes 7 years to 'solve' a problem?! James Matthews (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Eric Rachner (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Memisyazici, Aras (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Charles Morris (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Kurt Grutzmacher (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Mike C (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Charles Morris (Nov 25)
- Re: Microsoft takes 7 years to 'solve' a problem?! Elazar Broad (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Paul Schmehl (Nov 26)
- Re: Microsoft takes 7 years to 'solve' a problem?! Eric Rachner (Nov 27)
- Re: Microsoft takes 7 years to 'solve' a problem?! Eric Rachner (Nov 27)
- Re: Microsoft takes 7 years to 'solve' a problem?! Elazar Broad (Nov 28)