Kerberos Loophole May Close Around Microsoft's Neck

[William Knowles <wk () C4I ORG>]

http://dailynews.yahoo.com/h/is/20000519/bs/kerberos_loophole_may_close_around_microsoft_s_neck_1.html

Friday May 19 09:16 PM EDT
(Industry Standard)

As a legal wrangle develops over whether the Linux/open-source news
Web site Slashdot.org can post messages containing what Microsoft
calls a "trade secret," key members of the technical standards
community have lost patience with the software giant's assertion of
proprietary control over an open standard.

At issue is a security protocol called Kerberos, a mechanism that
enables secure identity authentication when users log on to a network.
The version of Kerberos in Windows 2000 exploits a loophole in the
Internet standard specification that was deliberately left open for
customized versions.

Upset that Microsoft has in essence driven a truck painted with the
Windows logo straight through that opening, Clifford Neuman, the
principal author of the original MIT version of Kerberos and current
editor of the IETF's Kerberos standard document, is drafting a
proposal to close the hole in the spec. The IETF is an international
group that sets standards for the Internet.

Such a move would render Microsoft's made-for-Windows version of
Kerberos nonstandard, at least in part. To gain full compliance,
Microsoft would have to change part of its Kerberos code or open it
fully to outsiders, ensuring that competing versions of Kerberos have
the same access to Windows. The current legal question eventually
might be rendered moot as a result.

In the meantime, Andover.net, the owner of Slashdot, has responded
defiantly to a legal notice from Microsoft that cites the Digital
Millennium Copyright Act. The site refused to remove postings of the
"secret" part of the Windows 2000 Kerberos code, published on Slashdot
by open-source activists.

Andover lawyers have sent a response to Microsoft that poses questions
aimed at expanding the issue beyond copyright law.

"How can Microsoft claim proprietary protections for enhancement to an
open-standard protocol?" the letter states. Andover also questions
Redmond's secrecy claim, given that Microsoft first published the code
on the Internet.

Microsoft's implementation of Kerberos takes advantage of an undefined
data field in the spec to store authorization data for the Windows
2000 operating system. Microsoft published the code for this
additional aspect on the Web but attached restrictions that
essentially lock down the information. To download the file, users
must agree to a licensing restriction that labels the material
"confidential information and a trade secret."

Microsoft says keeping the enhancement portion of its code proprietary
does not affect the interoperability of Windows 2000 Kerberos. Critics
argue, however, that Microsoft is making it difficult to install rival
versions of Kerberos on a network with Windows 2000 desktops and
non-Microsoft servers.

Microsoft is "using its monopoly on the desktop to force people to use
its server," says Paul Hill, coleader of the Kerberos team at MIT.

Anger over Microsoft's tactics led open-source advocates to ignore
Microsoft's lock-down licensing agreement and post the code on
Slashdot's site. Microsoft then demanded that the site remove the
information from its servers.

Although Slashdot initially cried censorship, Microsoft rejected First
Amendment arguments. "It's not about free speech. We're not asking for
people's comments to be pulled down," said Microsoft spokesperson Adam
Sohn, "It's the manner in which the [copyrighted information] is being
distributed that we're asking Slashdot to address."

Slashdot's lawyers have in turn moved the discussion beyond
censorship, and in doing so, it might have gained the backing of the
technical standards community.

Even if Microsoft has copyright law on its side, Neuman considers the
software giant's legal move "pretty bogus."

Far from regarding Microsoft's protected code as a "trade secret,"
Neuman, who is also a senior research scientist at the University of
Southern California, considers it to be wholly derivative. Neuman said
he personally described its essentials in a 1993 scientific paper.

"Some of the specific changes that they did were actually things I
suggested on the Kerberos mailing list," he says. "So I don't know
what sort of claims they are trying to make on this."

Neuman believes that, given the legal spat, it is time to define a
generic format for the previously undefined authorization data field
in the specification, a move already under discussion on the official
Kerberos mailing list.

In addition, Neuman has committed to drafting a proposal in the next
couple of weeks. If approved, the authorization aspect of Kerberos in
Windows 2000 will no longer be standard.

At that point, Microsoft will have to choose whether to play by IETF
rules or abandon its claims of full compliance. That decision should
clarify which is more important to Microsoft: full interoperability or
protecting Windows.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".