Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kerberos, PACs And Microsoft's Dirty Tricks

Hemos posted more than 14 years ago | from the read-more-about-it dept.

Microsoft 417

Chris DiBona wrote to us with something that Ted and Jeremy (Samba Boys) wrote: "Microsoft, after getting beat up in the press for making propietary extensions to the Kerberos protocol, has released the specifications on the web -- but in order to get it, you have to run a Windows .exe file which forces you agree to a click-through license agreement where you agree to treat it as a trade secret, before it will give you the .pdf file. Who would have thought that you could publish a trade secret on the web?" Read more from the Samba Team below.

The critical part of the license states:

  • "b. The Specification is confidential information and a trade secret of Microsoft. Therefore, you may not disclose the Specification to anyone else (except as specifically allowed below), and you must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information, to keep the Specification confidential. If you are an entity, you may disclose the Specification to your full-time employees on a need to know basis, provided that you have executed appropriate written agreements with your employees sufficient to enable you to comply with the terms of this Agreement.
This is course is a very clever way to pretend to distribute the spec, whilst making it completely impossible to implement in competiting implementations which implements their propietary protocol extensions --- extensions to a protocol which was originally published by the Kerberos team as an Open Standard in the IETF. This completely defeats the IETF's interoperability goals, and helps Microsoft leverge their desktop monopoly into the server market.

The one good thing about Microsoft having pulled this dirty trick is that it makes their propietary intentions about the Windows 2000 PDC clear as day. I doubt anyone else could come up with a charitable explanation for what they've done. What a better example of Microsoft's "embrace, extend, and engulf" business model!

Jeremy Allison,
Samba Team.

Theodore Ts'o,
(former) Kerberos Development Lead "

cancel ×

417 comments

what's the fud'din difference? (1)

Anonymous Coward | more than 14 years ago | (#1096254)

ok, I am a typical computer user with no opinion on the DoJ Microsoft case, other than the fact that it makes my stock less valuable. Then I read this and say, "wow Microsoft is doing bad things! They must be punished!" Nevermind that this writeup exhibits no impartiality in its attempts to paint Microsoft in a bad light. Why is this FUD any different from that that comes from Microsoft?

And while we are at it, so what if Microsoft releases a proprietary extension to Kerberos? If they want to provide the work that will allow Windows/Kerberos operation to proceed in a different manner who is to stop them? The Open Source community rallies around the idea that software, code is free for all to see, take it modify it test the limits of what you can do with it. But Microsoft can't add to it and charge for it? Well, when Linux completely supports every Microsoft specific protocol (ActiveX, MS Java, etc.) then maybe you can demand that Microsoft conform its software for everyone else.

never thought I would say this but bring that bitch Jamie back with her ridiculous 'privacy threatened' posts, at least they were fresh and not the same recycled Linux-FUD like this.

Re:Kerberos? Isn't it Cerebus? (1)

Anonymous Coward | more than 14 years ago | (#1096257)

From: comp.protocols.kerberos FAQ

http://www.nrl.navy.mil/CCS/people/kenh/kerberos -faq.html#cerberus

Subject: 1.3. Hey! I remember my Greek mythology, and I thought the dog that guarded the entrance was called Cerberus! What gives?
I personally wonder about this myself. I have seen references in "The Devil's Dictionary" that claim it is Kerberos, but when I checked this myself I only found the "Cerberus" variant.

I never actually heard of the "Kerberos" spelling/pronunciation until I got involved with Kerberos myself.

From: Tom Yu

"Cerberus" is the Latin spelling of the Greek "Kerberos", and according to the OED is pronounced like "serberus", but that is quite at odds with the Greek, as the initial consonant is a "k". MIT Project Athena chose to use the Greek spelling and pronunciation.
From: Jan Sacharuk

Tom Yu is correct, Cerberus is the Latin spelling. However, the fact that the OED says that the 'c' is pronounced as an 's' is an English affectation. In Latin, the letter 'c' is always hard. So Cerberus is pronounced 'Ker-ber-ous'. The letter 'u' is also slightly different, making it somewhere in between 'oos' and 'ous'.

Re:Is "Kerberos" trademarked? (1)

Anonymous Coward | more than 14 years ago | (#1096258)

If they're not conformant with a open and trademarked standard, they should not be allowed to say they are.

How interesting! The interestingness of this is very interesting. It is interesting you came to this interesting conlusion.Interestingly, you point out that they should not be allowed to say they are open. I came to the same interesting conclution. Interesting.

Actually, even if it's not trademarked, I wonder if you could sue them for fraudulently misleading the customer into believing the OS will work seamlessly in their existing Kerberos network.

Once again, you bring up an interesting point. And that point, my interesting friend, is very interesting. It is interesting to find interesting minds on this interesting site. Moderators, mark the parent "Interesting".

Re:Trade Secrets only as long as they're secret... (1)

Sabalon (1684) | more than 14 years ago | (#1096268)

On the other hand, what's the big deal? If no one uses Microsoft's extensions, it's a non-issue.

That's nice in a perfect world, but if you want Kerberos and MS Kerberos to work together, you're screwed.

Re:what's the fud'din difference? (1)

nelsonrn (2165) | more than 14 years ago | (#1096270)

Jamie is male. What else is wrong in your post? Readers beware.
-russ

Stunning... and therefor terrifying! (1)

Eck (2901) | more than 14 years ago | (#1096278)

That's not the end of their continued dirty tricks. It's almost as if they're stepping up every kind of nastiness to make up for lost time!

There are reports like these [cyberspace.org] cropping up. Like any publisher, Micro~6 doesn't like the resale market. Unlike some, they're in a position to bully small resellers out of business.

Re:OUCH! Check this out... (1)

Virtex (2914) | more than 14 years ago | (#1096279)

Really? I think I'm going to send M$ some emails with the following message at the end of each:

"By receiving this email, you agree to send me one million dollars"

And see how much money they send me. I bet it won't be much (i.e., $0).

--

Re:The license is still all over the damn thing (1)

JPelorat (5320) | more than 14 years ago | (#1096286)

Hehe, that's pretty creative.. there is, however, another discussion going on in this thread regarding the structural soundness of distributing trade secrets under a common license for anyone to pick up and agree to. Wouldn't it just be funny if a court eventually decided that there's no such thing as a public trade secret?

Re:OUCH! Check this out... (1)

Dagmar d'Surreal (5939) | more than 14 years ago | (#1096291)

That does not stand the least little bit of a chance to stand up in court.

For example...

The following phrase is a trade secret of me:

"Rubber baby buggered bindles"

Viewing of this phrase outside this message by persons other by myself is subject to a mandatory licencing fee of $5.00. You now owe me $5.00.
Cough it up you hippie.

Something is either patented, trademarked, or FAIR GAME once discovered.

license is in pdf (1)

aphr0 (7423) | more than 14 years ago | (#1096300)

For those that never bothered to actually do any research before mindlessly posing, the agreement is included at the bottom of the pdf file and is referenced at the beginning.

Re:It's just a CAB file (1)

Signal 11 (7608) | more than 14 years ago | (#1096301)

It may be a legal "dare" by Microsoft to test the DMCA. Remember, you can't "bypass copy protection measures".. and this is such a trivial one you really have to wonder. Especially since they labelled it a "trade secret". Why?

Legally, trade secrets enjoy very little protection... but it sounds like it would make an excellent soundbite for the media if it were "leaked" by a bunch of "hackers".

Re: where is a copy of this memo? (1)

Mr. Flibble (12943) | more than 14 years ago | (#1096312)

Try here [theregister.co.uk] for as much of the memo as is legally released. You cannot actually read the damning statement for legal reasons. Still, The Register has a good article on it.

post that bitch to the freenet! (1)

Blue Lang (13117) | more than 14 years ago | (#1096313)

I really do wonder sometimes if it might be cool to just declare bankruptcy, get a job working at mcdonald's, and spend my free time taking code like this, publishing it, implementing it, and then getting sued.

And then I think, wait.. Who cares? It's Windows, in five years, no one will use it anyways. :P

--
blue

Re:Trade Secrets only as long as they're secret... (1)

Panaflex (13191) | more than 14 years ago | (#1096314)

But you don't understand. If microsoft said the sky was red, then the court would say yes it is!

Even if only because the sky is red at dusk..

Twisting truth for fun and profit.

Pan

Re:Kerberos? Isn't it Cerebus? (1)

Darmox (16016) | more than 14 years ago | (#1096327)

They're both more or less the same, and that's where the name comes from. I -believe- that the Greek version is Cerberus, and the Roman was Kerberos, although I could be wrong. I have also heard that Kerberos is how "Cerberus" should be pronounced (Kur-bear-ous)

Re:Defeating Trade Secrets 101: (1)

MeanGene (17515) | more than 14 years ago | (#1096331)

When are you guys going to grow up!?!?

It's like being happy about sneaking into your house late at night through the window just because cops on the street didn't shoot you.

The issue is not that you can extract the PDF file out of kerbspec.exe. The issue is that Microsoft DARED to prepend that spec with the license that (hold your breath!) doesn't allow you to implement a counterpart to talk to a MS Kerberos client or server

Re:Defeating Trade Secrets 101: (1)

magic (19621) | more than 14 years ago | (#1096334)

The original poster meant that the document is copyrighted, not the concepts in it.

kerbspec.exe /c /t:c:\temp /q (1)

scotpurl (28825) | more than 14 years ago | (#1096337)

If you run:
kerbspec /c /t:c:\temp /q
You'll get the contents, and never even see the license.

But it will work with kerberos... (1)

jtgold (31028) | more than 14 years ago | (#1096346)

...as a client. Kerberos clients simply won't be able to get access to domain resources.

Re:Trade secret == open season (1)

The_H0und (37508) | more than 14 years ago | (#1096350)

Did I mention that you can bypass the license agreement by opening the executable with WinZip and not ever executing the thing?

Have fun!
Josh

Re:Trade secret == open season (1)

jasha (42162) | more than 14 years ago | (#1096355)

It's my impression that as long as the entity (Microsoft) takes reasonable steps to protect their trade secret (they have), regardless of how you get it, it is still protected.

a way around (1)

lubricated (49106) | more than 14 years ago | (#1096359)

so someone in a country where these kind of agreements are not legal or enforcable can read the pdf and give it to everyone else. Or better yet if they don't give it to anyone. Then people will be forced to stop using windows because it won't interoperate with their machines.

Re:It's just proof (1)

ronfar (52216) | more than 14 years ago | (#1096360)

I think he may have finally decided to go for it and buy that persian cat...

Re:Is "Kerberos" trademarked? (1)

tak amalak (55584) | more than 14 years ago | (#1096361)

Why was this moderated down? I almost fell over laughing when I read this.
--

Playing into Microsoft's game (1)

zornorph (63846) | more than 14 years ago | (#1096385)

People are trying to find ways around Microsoft's click-through agreement so that they can post the specification somewhere... but what good does this do? While it does show Microsoft's intentions, it will also tempt people to write apps that implement it. Of course, these apps will most likely not interoperate well (if at all) with their UNIX variants, and the unwashed masses will stay with the safety of Microsoft again.

Kerberos? Isn't it Cerebus? (1)

Ribo99 (71160) | more than 14 years ago | (#1096393)

..Gates and company seem to be embarking on a journey that is eerily similar to the last of the 12 labors of Hercules: the capture of Kerberos, the three-headed hound who guarded the gates of Hades.


Kerberos? I thought the three-headed dog that guarded the gates of Hades was called "Cerebus"?

---

Dirty trick.. or just a lapse? Or really dirty? (1)

Paul Neubauer (86753) | more than 14 years ago | (#1096406)

Time and again we've seen Microsoft "bashed." Most of the time they've earned it. But when another company does something not considered right (say, nVidia) it gets somewhat better treatment.

Now, I trust Microsfoft not as far one can comfortably spit a rat, but was there any call yet to verify if this was a lapse? "Slap on the usual license.." or such? I didn't see one. Not one, or just missed it. No astroturf, even.

I'm thinking it isn't a lapse and is something will have to sorted out by careful means. That is, the information obtained in a way that is legal enough to pass the lawyers, lest we have another DeCSS thing, the story of which drags on, despite the information having spread beyond any hope of containment.

And, being less charitable and more suspicious, try this on. Suppose the content is only partly right, by design. It will need verifying, or there will be much disinformation distributed, with a resulting more insidious incompatibility.

So what happens if... (1)

SEAL (88488) | more than 14 years ago | (#1096412)

Say some anonymous individual decides to separate the technical specifications from the legal garbage, and distribute them on the web.

Obviously this person has violated the click-license agreement. But what happens if Jeremy picks up the stripped specs and implements them? Jeremy has agreed to nothing. So is he accountable? Is there something in the DMCA or other law which would place him in jeopardy?

Just curious,

SEAL

Fodder for the Anti-Trust Case (1)

sarhjinian (94086) | more than 14 years ago | (#1096416)

Although everything surrounding Microsoft's anti-trust case has pretty much wrapped it, this would have been a nice addition to the "Stifling Competition" pile.

Question: Assuming that it's possible, is reverse-engineering Microsoft's Keberos extensions legal?

Re:Kerberos? Isn't it Cerebus? (1)

sarhjinian (94086) | more than 14 years ago | (#1096417)

Kerberos? I thought the three-headed dog that guarded the gates of Hades was called "Cerebus"?

I think "Kerberos" is the more accurate spelling from the actual Greek. "Cerebus" is an anglesized (ack!) spelling.

Re:OUCH! Check this out... (1)

TheCarp (96830) | more than 14 years ago | (#1096419)

Well IANAL but...

by obtaining it in this way, you have not actually
agreed to any licence. I don't think that "By
reading this" you can actually be held legally
responsible for anything...afterall...since its
part of the document, then there would be no way
to know the terms before you agree.

besides...you, the obtainer, have not broken any
law, except maybe copyright law....but...fair use
still applies (there was an mp3 article a while
back where both sides lawyers agreed that fair use
applies, regardless of whether the act of
obtaining the material is illegal)

As such...you could use it to add the info to the
kerberos spec :)

All in all it would just be best if someone
converted it to plain text and sent it to an
anonymous remailer - posted into usenet. (are
there still anonymous remailers that post to
usenet? sigh...I still lament the loss of
annon.penet.fi)

It's just proof (1)

gfxguy (98788) | more than 14 years ago | (#1096428)

That Bill Gates is truly psychologically challenged.

I mean it, really. I think he honestly believes that:

  • He has done nothing wrong.
  • Microsoft has propelled the industry far beyond where it would have gone without it.
  • People really love him, and will rally to his cause before letting the government hurt MS.
  • What MS does is innovating.
I honestly believe he has a god complex.
----------

Re:Get around the license ... ? (1)

zaphod.nu (100500) | more than 14 years ago | (#1096431)

Well, he can't agree to the license since he is a minor.
But that would only make his gaurdians responisble. IE, his parents.

.sig
Note that these are my personal opinions, they are just as faulty as anyone elses.


.sig

Re:Kerberos? Isn't it Cerebus? (1)

Madjeurtam (101190) | more than 14 years ago | (#1096432)

the original greek would be spelled kappa-epsilon-beta-epsilon-rho-omikron-sigma: Kerberos.

Mmmh... I think you're forgetting one "rho"...

Should not that be kappa-epsilon-rho-beta-epsilon-rho-omikron-sigma ?

Just my 7.38539 drachmas ;))

Stéphane

i hate to get technical, but (1)

DrEldarion (114072) | more than 14 years ago | (#1096445)

i believe it's Cerberus...

-- Dr. Eldarion --
It's not what it is, it's something else.

wow, THAT'S hard to get around... (1)

DrEldarion (114072) | more than 14 years ago | (#1096446)

well, gee, lemme think... someone will get it, go to a library or other such place, post it somewhere, then everyone and their mom will mirror it...

-- Dr. Eldarion --
It's not what it is, it's something else.

Re:Loophole? (1)

scott@b (124781) | more than 14 years ago | (#1096456)

Perhaps do something such as leave the PDF on a machine running one of several Microsoft programs that make your drive public on whatever network you are connected to...

Re:Oops (1)

br4dh4x0r (137273) | more than 14 years ago | (#1096470)

haha

i give up

pity me,
br4dh4x0r

Re:Trade secret == open season (1)

Frank T. Lofaro Jr. (142215) | more than 14 years ago | (#1096474)

UCITA isn't law yet. There is a moratorium on its going into effect in Virginia. Maryland is still considering it, as far as I know. It isn't law in any other state (yet). Also, even if a click-thru license is validated, that says nothing about the case where you can still use the product without agreeing. If you click Yes, you could be bound. But if you can still get it to work some other way you might be off the hook. I am not a lawyer, but I know that many times defendants get off on technicalities like this. Plus I think there are very low damages possible even if there are violations. I read UCITA, and it seems to be about breech of contract, actual damages and actual profits. No mention of statuatory and punitive damages. Consult a lawyer for real details. Compared to the DMCA, UCITA is much less dangerous (but still very dangerous none the less - but the current situation isn't very free - I think Kentucky has held shrink wrap licenses valid for years)

M$ is of the devil (1)

laugau (144794) | more than 14 years ago | (#1096475)

Guess what, the license agreement is also part of the document, open the spec and you are bound by it. Damn, my eyes...

It can still be used in SAMBA... (1)

spoonboy42 (146048) | more than 14 years ago | (#1096479)

If we only have to take precautions equal to those we take for our own confidential data, why not just set up a windows box with ALL files shared over gnutella. Then just throw a few love letters in my documents (personal confidential data) and share the Microsoft docs. Problem solved! ;)



Re:Loophole? (1)

fedos (150319) | more than 14 years ago | (#1096482)

Well, you know that File and Print Sharing is a vital part of all intranets. :)

Seriously, though. I have Microsoft's Web Server installed on my system (I thought it was necessary for running InterDev). What if you know what my IP address is and you access my machine. The PDF is just has secure as the rest of my data, am I breaking the agreement?

What a load of three-headed... (1)

connorbd (151811) | more than 14 years ago | (#1096485)

You know, the truth is that I simply don't buy their licensing terms. "Treat it as a trade secret" my USB port -- that's like telling a little kid not to touch the cookie jar when they didn't even know there was something in there.

It's legal FUD, no more. I'd just love to see someone work up the nerve to challenge it (anywhere except Virginia, of course).

/Brian

Potential workaround (1)

Inquisiter (155042) | more than 14 years ago | (#1096488)

This is a pretty sly way to enforce a licencing agreement. Maybe this is an equally sly workaround. The key is that the user is only required to agree to the agreement if they read the agreement when they run the program under windows. If someone could hack up a perl program to extract the pdf, we wouldn't be prompted to, or required to agree to the licence (Unless the agreement was also inside of the document :( ). If this could be hacked together, the spec could then be used by the samba team. There is no reference to any agreement on thier web page, and I downloaded the bits without agreeing to anything. Now if I could only extract the document without agreeing to any agreement. What do you think?

Disclaimer: IANAL

Did Micro$oft have to do this. (1)

Glowing Fish (155236) | more than 14 years ago | (#1096490)

Could everyone please forgive my ignorance, but did Micro$oft have to do this? Was making propietary extensions to a GPL, or otherwise OpenSource protocol, in someway illegal for them to do, or was it just considered in bad taste?

Because if they did do something against their license, then they really can't pick and choose how they are going to follow their license...they either have to do it or not.

If however, they only did something in bad taste, and wish to make up for it, then we really can't argue too much with what they did...besides to say it is still in bad taste?

I imagine that Micro$oft didn't consider this manner to be that important, they must have known this kind of documentation would be leaked quickly enough. Or else they just don't know about Slashdot.

Re:Logic flaw (1)

revelation0 (164235) | more than 14 years ago | (#1096495)

Well, you can make this statement only by the assumption that we do consider the source that we are opening up "confidential", which most of us probably don't. My new recommendation is this, which I will also propose to those on the samba dev team and list -

Build (maybe fork?) a new version of samba which complies with the new standards set by this document. Publish it under a different name (GPL'd of course) anonymously overseas for those wishing to intergrate other *nix servers on their windows network.

The only reason I deem this remotely necessary is because of Microsoft's conduct in all other fields, and I'm sure most will agree. If we do allow them to take this format, make it proprietary, killing all interoperability, there are those corporations who will begin the migration and be stuck with a Microsoft exclusive platform. WHY allow this, when we have the means and the resources to defeat it? If working in a corporation, and I wish to install a new file server and choose some random linux distribution to do the job, only to find out that it won't integrate with our current network because of the standards imposed by previous system admin's, there should be some way out. Standards and interoperability have created a boom in the computer industry, let's not see it fall victim to Microsoft's sword.

- Rev -

This (above) looks like the important point (1)

alarmo (168648) | more than 14 years ago | (#1096498)

And later: Microsoft does not grant you any right to implement this Specification.

sure enough, this seems (IANAL) to directly state that if you use this spec to implement or imitate MS-Kerberus, you've violated the agreement and can probably be sued, etc. The download is just necessary to wrap the license agreement around it.

This is kinda novel - "We'll even tell you what we're doing, but fsck if we'll let you do it too." Documentation doesn't help at all if it comes with a condition like that. What's the next step, patenting the writing of MS-Word format to keep all those pesky filters at bay?

Where's the first mirror? (1)

LoonXTall (169249) | more than 14 years ago | (#1096499)

With the way the open-source community disregards copyright, patents, etc. (see my .sig), who gets to be first to mirror? I defer the honor to the more courageous... after all, MS does hold many of my friends in its claws, unlike the MPAA.


-- LoonXTall

Re:Get around the license ... ? (1)

AwesomeCrap (178263) | more than 14 years ago | (#1096507)

Actaully, the law is worded such that a minor could agree to the contract, if the company will let them, but the contract is not legally binding for the minor AT ALL, but is legally binding for the other party, Meaning that the minor would not be responsible, and neither would their parents. But I'm not sure, so if you were going to do this, you should check with someone else who would know the law better than me.

Re:Is "Kerberos" trademarked? (2)

copito (1846) | more than 14 years ago | (#1096522)

IIRC, Microsoft has extended Kerberos in a standard way, that is, by using parts of the protocol which are intended to be vendor defined. I'm not sure whether they have maintained interoperability.
--

Re:can this be bypassed? (2)

copito (1846) | more than 14 years ago | (#1096523)

IANAL, but I think that a trade secret can be legally protected if reasonable steps were taken to protect it. So if someone breaks in and steal your trade secret, then publishes it, other parties may be enjoined from using the information.

A court would have to decide if Microsoft took reasonable steps to protect their trade secret in this case, I'd say they didn't, but then again I'm biased.
--

Use M$ Word (2)

MouseR (3264) | more than 14 years ago | (#1096526)

...to create enough documents so that all that extra bits of info M$ is grabbing off your disk in Word files, which would include their kerberos source modifications, ends up being send along the bogus documents via email attachments.

Reassemble everything, and you have sources that were published by MicroSoft's own incompetence in a way they can't blame you.

Re:The license is still all over the damn thing (2)

cpt kangarooski (3773) | more than 14 years ago | (#1096527)

Clearly you haven't extracted it enough...

Set up a pair of groups to extract it. One agrees to the terms and knows what the license is.

The other does not agree, and never looks at the docs at all. But they keep making filters which they think are likely to strip the license. They make a metric crapload of them, present them to the 1st group and asks "Are any of these licenseless?"

A bit of grepping determines the answer, and voila - a copy of the docs w/o license.

;)
(and if you think I'm a lawyer, I've got this bridge that's very affordable...)

Re:Defeating Trade Secrets 101 (2)

Angst Badger (8636) | more than 14 years ago | (#1096537)

IANAL, but part of the laws regulating trade secrets presumes that you are taking reasonable measures to prevent the public release of the secret. Posting a "trade secret" to a website for the general public to access could very easily invalidate any future claims to trade secret status.

An analogous situation would be if Bill Gates, staggering around drunk in Central Park, walked up to each of several thousand people and offered to tell them Microsoft trade secrets if they "promise not to tell". While there are no doubt judges that would let this crap slip by, I think it is likely that the vast majority of appellate courts would laugh loud and long at this. Secrets are secrets because they are, well, secret. They are not secret because Bill Gates distributes them to a billion-plus people and says "Shhhhhh".

Trade Secrets only as long as they're secret... (2)

UncleRoger (9456) | more than 14 years ago | (#1096538)

So, what if some unknown person, logged on from a public access PC (such as at a library), downloaded this stuff, then posted it, sans license, on a free website, such as geocities? After a bit, it wouldn't really be a secret any more...

On the other hand, what's the big deal? If no one uses Microsoft's extensions, it's a non-issue.

Re:what's the fud'din difference? (2)

DJerman (12424) | more than 14 years ago | (#1096543)

How about if I said, "I baked a great lemon pie! I'll give you the recipie!" Then I send you a recipie for a good pie, with a legal agreement that says you can't share it, or use it, oh and by the way, it's not really lemon, it's artificially flavored, but you can't tell anyone.

That's what MS is up to. They're offering you the recipie so that they can advertise (falsely) "lemon pie, with recipie".

Doesn't matter. (2)

Samrobb (12731) | more than 14 years ago | (#1096544)

It's bypassing the click-thru that's important. Having the license printed on every page may seem intimidating, but consider what would happen if you were to print it out and "loose" the printout. Whoever found it would most certainly not be bound by the license - hell, maybe they don't read English, or maybe they're a minor and legally unable to enter into this kind of agreement.

In short, MS doesn't really have a legal leg to stand on. What they do have, however, is an excuse to drag whoever they want (Samba team, anyone?) into court and sue them into bankruptcy. They don't even have to win, just have enough cash - which they do - to be able to pay their lawyers longer than you can pay yours.

Re:Defeating Trade Secrets 101: (2)

iCEBaLM (34905) | more than 14 years ago | (#1096570)

I wouldn't do that. It's still copyrighted, and if you are associated with any group that "reverse engineers" the specs, whatever prodcut you create could get tied up in court for a long time. Distributing MS's copyrighted info could also get you into legal hot water.

MS puts it on their page for everyone to DL, there was no agreement that I saw that said I couldn't give it out to anyone else, it's public domain.

I'm not associated with any such group, I'm just your average joe schmo who uses winzip instead of running self extracting archives for fear of viruses. :)

-- iCEBaLM

Re:Trade secret == open season (2)

The_H0und (37508) | more than 14 years ago | (#1096572)

However, there is a short license agreement at the bottom of every page and the full agreement on pages 11 and 12.

So, I guess that my winzip idea is worthless...

Re:Defeating Trade Secrets 101: (2)

Greg Lindahl (37568) | more than 14 years ago | (#1096573)


I wouldn't do that. It's still copyrighted,
Trade secrets can't be copyrighted. Consult a lawyer instead of playing one on /.

And we're the press now, too. (2)

devphil (51341) | more than 14 years ago | (#1096577)

Yeah, MS's dedication to certain standards is pretty impressive...

When I read the /. article and came to the link "beat up in the press," I was amused to see that the press doing the beating was LinuxWorld. That's one step away from saying "after MS was beat up in /. discussion boards."

You'd think that with a statement like that, "the press" would have referred to something a little more... mainstream. Of COURSE a Linux mag is going to beat up on Microsoft.

How to bypass the pop-up (2)

Jonny Royale (62364) | more than 14 years ago | (#1096582)

Open the .exe you downloaded onto a Windoze machine with Winzip...extracts the file automatically. No pop-up, no muss no fuss.

Seriously... (2)

zaphod.nu (100500) | more than 14 years ago | (#1096594)

Isn't there some kind of law against this?

We're getting whacked by big companies that uses their large legal departements to FUD the users of alternate products.

There should be something to protect us from these kind of things. Are you really allowed to make changes to a open standard and refuse to disclose it?

Maybe we should start slapping a GPL like license to standards? Something that goes like this: "Any standard that is a derivative of this standard MUST use the foo license". That would keep the nice and open standards open forever.

Note that these are my personal opinions, they are just as faulty as anyone elses.

.sig

I took a look at the .exe (2)

nels_tomlinson (106413) | more than 14 years ago | (#1096596)

, by opening it under emacs. There is some boilerplate by Verisign, and not much else that's easily readable. I expect that there'll be a mirror for the plaintext somewhere in a few days (hint, hint... get busy, overseas!). I can't do much with it easily, I'm on AIX.

I agree, there isn't any charitable explaination for this, but it's hard to explain any other way, either. Are they doing this so that when it is spread around they can say "look what happens when we try to be open... we'll never do that again!"?

Perhaps the best reply to this is to declare that any program which will interact with microsoft is broken... don't let them on your system.

Microsoft's deCSS! (2)

NightHwk (111982) | more than 14 years ago | (#1096597)

If it is that easy to obtain the 'trade secret' without making any agreements, then I hardly consider it much of a secret.

How many people have mirrored this file so far?

Can I get it on a T-Shirt yet?

Don't forget how much more evil Micros~1 is compared to the DVD industry, lets see some action taken!
Tyranny = Government choosing how much power to give the people.

Ignore W2K!! (2)

(void*) (113680) | more than 14 years ago | (#1096598)

I think I am paranoid enough to believe that this is a way for MS to try to make W2K popular, by "publishing" a standard, encouraging the Samba team to make a compatible product, without appearing to support it. As you know, W2K sales suck, and they must be getting desperate ...

IMHO, they should just ignore W2K. If people ask why, point to the incompatible license, this stupid "trade-secret" and blame MS. Make MS look bad, just like how winmodems were made to look lame. Watch W2K die.

But then I could just be dreaming.

Re:Did Micro$oft have to do this. (2)

TheMCP (121589) | more than 14 years ago | (#1096600)

The legal problem with what they're doing is that they're deliberately making their software non-interoperable with published standards. This seems to indicate that they're trying to use their monopoly position to exclude competition, which is illegal.

Got it?

Re:Is "Kerberos" trademarked? (2)

xee (128376) | more than 14 years ago | (#1096603)

This all depends...

If Microsoft used Kerberos code from MIT (which is distributed under a BSD-style license) then they must say that it is based on Kerberos. To not do so, would be in violation of the license.

However,

This is not necessarily the case for original code written to comply with an IETF standard (look at IIS, based on several RFCs, but not a derivitive work). If Microsoft wrote their own Kerberos code from scratch, but claims that it is compatible with the IETF Specification, that may be breaking some rules.

By the way, IANAL. If there are any lawyers reading this, please correct any errors I have made.


-------

Microsofts intention (2)

Kailden (129168) | more than 14 years ago | (#1096605)

It seems to me that the point of Microsoft releasing this spec is not so others can implement thier own versions. They are releasing the spec in order that security experts can review it as well as third-parties can take advantage of interacting with it in Win2000.

This is in no way a step towards opening it up for open-source contribution.

Think about it...even if M$ is broken up, one of those companies will be ther operating system group, and that group will be interested in getting good reviews from security experts and third party integration. It's pretty much the way Microsoft has built its empire from the beginning: giving and collabarating with a heavy advantage.

What do you expect? This is big business. This is Microsoft's new OS. Do you really think they would open it up?

Microsoft is not built on the foundation of open-source, and like any pure software company, will not lose money to increase collabaration unless the customers demanded it in such a way that Microsoft gains revenue.

PDF available here... (2)

br4dh4x0r (137273) | more than 14 years ago | (#1096606)

Just in case anyone who doesn't have Windows wants this...

http://www.angelfire.com/boybands/billgates/kerbsp ec.pdf

love,
br4dh4x0r

wow (2)

john_many_jars (157772) | more than 14 years ago | (#1096609)

I am willing to give MS the benefit of the doubt on a lot of issues. I have just recemtly started devloping in the MS SDK--coming from a POSIX-ish background of Sun. I have a theory about why their business practices are the way they are. Microsoft has never had a good, original idea, principle, or product (except, maybe Excel). So, Microsoft must adapt other ideas to fit their operating system. Since there are still DOS v1 and v2 commands still floating around in the SDK, it appears that this has been happening for a long time. Because of all the horrendous assumptions they made years ago (ie, Who will ever need more RAM than 640k), they have poorly fit standard and necessary operating system functions into their SDK (for a good example of this, look at hooks). And since their assumptions in the beginning were never fixed, just poorly patched and modifications were made to work around them, certain things that should be taken for granted in a real operating system cannot be. (Look at file locking and you'll see what I mean) So, rather than fix the os, they have to mangle existing standards so that they will fit with the 2-bit SDK MS has. Therefore, it isn't the business end of MS driving the idiocy, but the idiocy of the "imagineers" at MS driving the business principles. So the blame shouldn't be on the business dealings of MS for they have done an amazing job of hyping a flawed product. Rather, it should be that the managers and other "imagineers" at MS who make decisions about os implementation take the blame for the corruption of standards. QED: Bill Gates built his empire on faulty assumptions.

OUCH! Check this out... (2)

LoonXTall (169249) | more than 14 years ago | (#1096611)

In the PDF, it says that viewing it means you agreed to the license... reproduced at the end.


-- LoonXTall

WOW... (2)

Meshpatra (171823) | more than 14 years ago | (#1096612)

If M$ has such brilliant lawyers who draw up such amazing licensing documents, then i wonder how M$ could lose the court room battles.... :-)

hello (3)

Anonymous Coward | more than 14 years ago | (#1096615)

Microsoft Authorization Data Specification v. 1.0
for Microsoft Windows 2000 Operating Systems
April, 2000
) 2000 Microsoft Corporation.
All rights reserved.
Microsoft Confidential
Please review this Specification copy only if you licensed and downloaded it from Microsoft
Corporations website; if you did not, please destroy this copy, but you are welcome to license the
Specification at http://www.microsoft.com/technet/security/kerberos .
If you are an authorized licensee, when you downloaded the following Specification, you agreed
to the Agreement for Microsoft Authorization Data Specification v. 1.0 for Microsoft Windows 2000
Operating Systems (the "Agreement"). For your future reference, that Agreement is reproduced at
the end of this document.
Abstract
Microsoft Windows 2000 includes OS specific data in the Kerberos V5 authorization data field that is
used for authorization as described in the Kerberos revisions Internet Draft [1]. This data is used for
user logon and to create an access token. The access token is used by the system to enforce
access checking when attempting to reference objects. This document describes the structure of
the Windows 2000 specific authorization data that is carried in that field.
Top-Level PAC Structure
The PAC is generated by the KDC under the following conditions:
during an AS request that has been validated with pre-authentication
during a TGS request when the client has no PAC and the target is a service in the domain or a
ticket granting service (referral ticket).
The PAC itself is included in the IF-RELEVANT (ID 1) portion of the authorization data in a ticket.
Within the IF-RELEVANT portion, it is encoded as a KERB_AUTH_DATA_PAC with ID 128.
The PAC is defined as a C data type, with integers encoded in little-endian order. The PAC itself is
made up of several layers. The outer structure, contained directly in the authorization data, is as
follows. The top-level structure is the PACTYPE structure:
typedef unsigned long ULONG;
typedef unsigned short USHORT;
typedef unsigned long64 ULONG64;
typedef unsigned char UCHAR;
typedef struct _PACTYPE {
ULONG cBuffers;
ULONG Version;
PAC_INFO_BUFFER Buffers[1];
} PACTYPE;
The fields are defined as follows:
cBuffers - contains the number of entries in the array Buffers
Version - this is version zero
Buffers - contains a conformant array of PAC_INFO_BUFFER structures
The PAC_INFO_BUFFER structure contains information about each piece of the PAC:
typedef struct _PAC_INFO_BUFFER {
ULONG ulType;
ULONG cbBufferSize;
ULONG64 Offset;
} PAC_INFO_BUFFER;
Type fields are defined as follows:
ulType - contains the type of data contained in this buffer. For Windows 2000, it may be one of the
following, which are explained further below:
#define PAC_LOGON_INFO 1
#define PAC_CREDENTIAL_TYPE 2
#define PAC_SERVER_CHECKSUM 6
#define PAC_PRIVSVR_CHECKSUM 7
#define PAC_CLIENT_INFO_TYPE 10
Offset - contains the offset to the beginning of the data, in bytes, from the beginning of the
PACTYPE structure. The data offset must by a multiple of 8. If the data pointed to by this field is
complex, the data is typically NDR encoded. If the data is simple (indicating it includes no pointer
types or complex structures) it is a little-endian format data structure.
PAC Credential Information
PAC_INFO_BUFFERs of type PAC_LOGON_INFO contain the credential information for the client of
the Kerberos ticket. The data itself is contained in a KERB_VALIDATION_INFO structure, which is NDR
encoded. The output of the NDR encoding is placed in the PAC_INFO_BUFFER structure of type
PAC_LOGON_INFO.
typedef struct _KERB_VALIDATION_INFO {
FILETIME LogonTime;
FILETIME LogoffTime;
FILETIME KickOffTime;
FILETIME PasswordLastSet;
FILETIME PasswordCanChange;
FILETIME PasswordMustChange;
UNICODE_STRING EffectiveName;
UNICODE_STRING FullName;
UNICODE_STRING LogonScript;
UNICODE_STRING ProfilePath;
UNICODE_STRING HomeDirectory;
UNICODE_STRING HomeDirectoryDrive;
USHORT LogonCount;
USHORT BadPasswordCount;
ULONG UserId;
ULONG PrimaryGroupId;
ULONG GroupCount;
[size_is(GroupCount)] PGROUP_MEMBERSHIP GroupIds;
ULONG UserFlags;
ULONG Reserved[4];
UNICODE_STRING LogonServer;
UNICODE_STRING LogonDomainName;
PSID LogonDomainId;
ULONG Reserved1[2];
ULONG UserAccountControl;
ULONG Reserved3[7];
ULONG SidCount;
[size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
PSID ResourceGroupDomainSid;
ULONG ResourceGroupCount;
[size_is(ResourceGroupCount)] PGROUP_MEMBERSHIP ResourceGroupIds;
} KERB_VALIDATION_INFO;
The fields are defined as follows:
LogonTime - the time the client last logged on.
LogoffTime - the time at which the clients logon session should expire. If the logon session should
not expire, this field should be set to (0x7fffffff,0xffffffff).
KickOffTime - the time at which the server should forcibly logoff the client. If the client should not be
forced off, this field should be set to (0x7fffffff,0xffffffff). The ticket end time is a replacement for the
KickOffTime. The service ticket lifetime will never be longer than the KickOffTime for a user.
PasswordLastSet - the time the clients password was last set. If it was never set, this field is zero.
PasswordCanChange - the time at which the clients password is allowed to change. If there is no
restriction on when the client may change its password, this field should be set to the time of the
logon.
PasswordMustChange - the time at which the clients password expires. If it doesnt expire, this field
is set to (0x7fffffff,0xffffffff).
EffectiveName - This field contains the clients Windows 2000 UserName, stored in the Active
Directory in the SamAccountName property. This field is optional. If left blank the length, maxlength
and buffer are all zero.
FullName - this field contains the friendly name of the client, which is used only for display purpose
and not security purposes. This field is optional. If left blank the length, maxlength and buffer are all
zero.
LogonScript - This field contains the path to the clients logon script. This field is optional. If left blank
the length, maxlength and buffer are all zero.
ProfilePath - This field contains the path to the clients profile. This field is optional. If left blank the
length, maxlength and buffer are all zero.
HomeDirectory - This field contains the path to the clients home directory. It may be either a local
path name or a UNC path name. This field is optional. If left blank the length, maxlength and buffer
are all zero.
HomeDirectoryDrive - This field is only used if the clients home directory is a UNC path name. In that
case, the share on the remote file server is mapped to the local drive letter specified by this field.
This field is optional. If left blank the length, maxlength and buffer are all zero.
LogonCount - This field contains the count of how many times the client is currently logged on. This
statistic is not accurately maintained by Windows 2000 and should not be used.
BadPasswordCount - This field contains the number of logon or password change attempts with
bad passwords, since the last successful attempt.
* UserId - This field contains the relative Id for the client.
PrimaryGroupId - This field contains the relative ID for this clients primary group.
* GroupCount - This field contains the number of groups, within the clients domain, to which the
client is a member.
* GroupIds - This field contains an array of the relative Ids and attributes of the groups in the clients
domain of which the client is a member.
* UserFlags - This field contains information about which fields in this structure are valid. The two bits
that may be set are indicated below. Having these flags set indicates that the corresponding fields
in the KERB_VALIDATION_INFO structure are present and valid.
#define LOGON_EXTRA_SIDS 0x0020
#define LOGON_RESOURCE_GROUPS 0x0200
LogonServer - This field contains the NETBIOS name of the KDC which performed the AS ticket
request.
LogonDomainName - This field contains the NETBIOS name of the clients domain.
* LogonDomainId - This field contains the SID of the clients domain. This field is used in conjunction
with the UserId, PrimaryGroupId,and GroupIds fields to create the user and group SIDs for the client.
UserAccountControl - This fields contains a bitfield of information about the clients account. Valid
values are:
#define USER_ACCOUNT_DISABLED (0x00000001)
#define USER_HOME_DIRECTORY_REQUIRED (0x00000002)
#define USER_PASSWORD_NOT_REQUIRED (0x00000004)
#define USER_TEMP_DUPLICATE_ACCOUNT (0x00000008)
#define USER_NORMAL_ACCOUNT (0x00000010)
#define USER_MNS_LOGON_ACCOUNT (0x00000020)
#define USER_INTERDOMAIN_TRUST_ACCOUNT (0x00000040)
#define USER_WORKSTATION_TRUST_ACCOUNT (0x00000080)
#define USER_SERVER_TRUST_ACCOUNT (0x00000100)
#define USER_DONT_EXPIRE_PASSWORD (0x00000200)
#define USER_ACCOUNT_AUTO_LOCKED (0x00000400)
#define USER_ENCRYPTED_TEXT_PASSWORD_ALLOWED (0x00000800)
#define USER_SMARTCARD_REQUIRED (0x00001000)
#define USER_TRUSTED_FOR_DELEGATION (0x00002000)
#define USER_NOT_DELEGATED (0x00004000)
#define USER_USE_DES_KEY_ONLY (0x00008000)
#define USER_DONT_REQUIRE_PREAUTH (0x00010000)
* SidCount - This field contains the number of SIDs present in the ExtraSids field. This field is only valid
if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ExtraSids - This field contains a list of SIDs for groups to which the user is a member. This field is only
valid if the LOGON_EXTRA_SIDS flag has been set in the UserFlags field.
* ResouceGroupCount - This field contains the number of resource groups in the ResourceGroupIds
field. This field is only valid if the LOGON RESOURCE_GROUPS flag has been set in the UserFlags
field._
* ResourceGroupDomainSid - This field contains the SID of the resource domain. This field is used in
conjunction with the ResourceGroupIds field to create the group SIDs for the client.
* ResourceGroupIds - This field contains an array of the relative Ids and attributes of the groups in
the resource domain of which the resource is a member.
Fields marked with a '*' are used in the NT token.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The FILETIME type is defined as
follows:
typedef unsigned int DWORD;
typedef struct _FILETIME {
DWORD dwLowDateTime;
DWORD dwHighDateTime;
} FILETIME;
Times are encoded as the number of 100 nanosecond increments since January 1, 1601, in UTC
time.
When used in the KERB_VALIDATION_INFO, this is NDR encoded. The UNICODE_STRING structure is
defined as:
typedef struct _UNICODE_STRING
USHORT Length;
USHORT MaximumLength;
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
} UNICODE_STRING;
The Length field contains the number of bytes in the string, not including the null terminator, and the
MaximumLength field contains the total number of bytes in the buffer containing the string.
The GROUP_MEMBERSHIP structure contains the relative ID of a group and the corresponding
attributes for the group.
typedef struct _GROUP_MEMBERSHIP {
ULONG RelativeId;
ULONG Attributes;
} *PGROUP_MEMBERSHIP;
The group attributes must be:
#define SE_GROUP_MANDATORY (0x00000001L)
#define SE_GROUP_ENABLED_BY_DEFAULT (0x00000002L)
#define SE_GROUP_ENABLED (0x00000004L)
The SID structure is defined as follows:
typedef struct _SID_IDENTIFIER_AUTHORITY {
UCHAR Value[6];
} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY;
The constant value for the NT Authority is:
#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5}
typedef struct _SID {
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
[size_is(SubAuthorityCount)] ULONG SubAuthority[*];
} SID, *PSID;
The SubAuthorityCount field contains the number of elements in the actual SubAuthority
conformant array. The maximum number of subauthorities allowed is 15.
The KERB_SID_AND_ATTRIBUTES structure contains entire group SIDs and their corresponding
attributes:
typedef struct _KERB_SID_AND_ATTRIBUTES {
PSID Sid;
ULONG Attributes;
} KERB_SID_AND_ATTRIBUTES, *PKERB_SID_AND_ATTRIBUTES;
The attributes are the same as the group attributes defined above.
Client Information
The client information is included in the PAC to allow a server to verify that the PAC in a ticket is
applicable to the client of the ticket, which prevents splicing of PACs between tickets. The
PAC_CLIENT_INFO structure is included in a PAC_INFO_BUFFER of type PAC_CLIENT_INFO_TYPE.
typedef struct _PAC_CLIENT_INFO {
FILETIME ClientId;
USHORT NameLength;
WCHAR Name[1];
} PAC_CLIENT_INFO, *PPAC_CLIENT_INFO;
The fields are defined as follows:
ClientId - This field contains a conversion of the AuthTime field of the ticket into a FILETIME structure.
NameLength - This field contains the length, in bytes, of the Name field.
Name - This field contains the client name from the ticket, converted to Unicode and encoded
using "/" to separate parts of the client principal name with an "@" separating the client principal
name from the realm name. The string is not null terminated.
Supplemental Credentials
The KDC may return supplemental credentials in the PAC as well. Supplemental credentials are
data associated with a security package that is private to that package. They can be used to
return an appropriate user key that is specific to that package for the purposes of authentication.
Supplemental creds are only used in conjunction with PKINIT[2]. Supplemental credentials are
always encrypted using the client key. The PAC_CREDENTIAL_DATA structure is NDR encoded and
then encrypted with the key used to encrypt the KDCs reply to the client. The
PAC_CREDENTIAL_INFO structure is included in PAC_INFO_BUFFER of type PAC_CREDENTIAL_TYPE.
Supplemental credentials for a single package are NDR encoded as follows:
typedef struct _SECPKG_SUPPLEMENTAL_CRED {
UNICODE_STRING PackageName;
ULONG CredentialSize;
[size_is(CredentialSize)]PUCHAR Credentials;
} SECPKG_SUPPLEMENTAL_CRED, *PSECPKG_SUPPLEMENTAL_CRED;
The fields in this structure are defined as follows:
PackageName - This field contains the name of the package for which credentials are presented.
CredentialSize - This field contains the length, in bytes, of the presented credentials.
Credentials - This field contains a pointer to the credential data.
The set of all supplemental credentials is NDR encoded in a PAC_CREDENTIAL_DATA structure:
typedef struct _PAC_CREDENTIAL_DATA {
ULONG CredentialCount;
[size_is(CredentialCount)] SECPKG_SUPPLEMENTAL_CRED Credentials[*];
} PAC_CREDENTIAL_DATA, *PPAC_CREDENTIAL_DATA;
The fields are defined as follows:
CredentialCount - This field contains the number of credential present in the Credentials array.
Credentials - This field contains an array of the presented supplemental credentials.
The PAC_CREDENTIAL_DATA structure is NDR encoded and then encrypted with the key used to
encrypt the KDC reply. The resulting buffer is returned in the following structure:
typedef struct _PAC_CREDENTIAL_INFO {
ULONG Version;
ULONG EncryptionType;
UCHAR Data[1];
} PAC_CREDENTIAL_INFO, *PPAC_CREDENTIAL_INFO;
The fields are defined as follows:
Version - This field contains the version field of the key used to encrypt the data, or zero if the field is
not present.
EncryptType - This field contains the encryption type used to encrypt the data. The encryption type
uses the same values as the defined encryptions types for Kerberos [1].
Data - This field contains an array of bytes containing the encrypted supplemental credential data.
Signatures
The PAC contains two digital signatures: one using the key of the server, and one using the key of
the KDC. The signatures are present for two reasons. First, the signature with the servers key is
present to prevent a client from generating their own PAC and sending it to the KDC as encrypted
authorization data to be included in tickets. Second, the signature with the KDCs key is present to
prevent an untrusted service from forging a ticket to itself with an invalid PAC. The two signatures
are sent in PAC_INFO_BUFFERs of type PAC_SERVER_CHECKSUM and PAC_KDC_CHECKSUM
respectively.
The signatures are contained in the following structure:
typedef struct _PAC_SIGNATURE_DATA {
ULONG SignatureType;
UCHAR Signature[1];
} PAC_SIGNATURE_DATA, *PPAC_SIGNATURE_DATA;
The fields are defined as follows:
SignatureType - This field contains the type of checksum used to create a signature. The checksum
must be a keyed checksum.
Signature - This field consists of an array of bytes containing the checksum data. The length of bytes
may be determined by the wrapping PAC_INFO_BUFFER structure.
For the servers checksum, the key used to generate the signature should be the same key used to
encrypt the ticket. Thus, if the enc_tkt_in_skey option is used, the session key from the servers TGT
should be used. The Key used to encrypt ticket-granting tickets is used to generate the KDCs
checksum.
The checksums are computed as follows:
1. The complete PAC is built, including space for both checksums
2. The data portion of both checksums is zeroed.
3. The entire PAC structure is checksummed with the servers key, and the result is stored in the
servers checksum structure.
4. The servers checksum is then checksummed with the KDC's key.
5. The checksum with the KDC key is stored in the KDC's checksum structure.
PAC Request Pre-Auth Data
Normally, the PAC is included in every pre-authenticated ticket received from an AS request.
However, a client may also explicitly request either to include or to not include the PAC. This is done
by sending the PAC-REQUEST preauth data.
KERB-PA-PAC-REQUEST ::= SEQUENCE {
include-pac[0] BOOLEAN -- if TRUE, and no PAC present,
-- include PAC.
---If FALSE, and PAC
-- present, remove PAC
}
The fields are defined as follows:
include-pac - This field indicates whether a PAC should be included or not. If the value is TRUE, a
PAC will be included independent of other preauth data. If the value is FALSE, then no PAC will be
included, even if other preauth data is present.
The preauth ID is:
#define KRB5_PADATA_PAC_REQUEST 128
References
1 Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network Authentication Service (V5)", draft-ietf-cat-kerberos-
revisions-05.txt, March 10, 2000
2 Tung, B., Hur, M., Medvinsky, A., Medvinsky, S., Wray, J., Trostle, J., " Public Key Cryptography for
Initial Authentication in Kerberos", draft-ietf-cat-kerberos-pk-init-11.txt, March 15, 2000
) 2000 Microsoft Corporation. All rights reserved. Microsoft Confidential.

Logic flaw (3)

GeorgeH (5469) | more than 14 years ago | (#1096617)

"You must take reasonable security precautions, at least as great as the precautions you take to protect your own confidential information."

Since we release our source code for the world to see, we should take the same precautions with their specifications, right? Since the precaution we take is by applying the GPL to our source, the same should be done with their spec. I guess they forgot that not everyone has been assimilated yet.
--

The fud'din difference... (3)

sterno (16320) | more than 14 years ago | (#1096623)

The difference is that in the microsoft realm, this is the process:

embrace -> extend

In open source, this is the process:

embrace -> extend -> publish extensions

Open source advocates are very happy to back extension and improvement of a standard as long as it is a PUBLISHED standard. When a company adds an extension and refuses to publish it, they create incompatibility (or in other parlance, competitive advantage).

Microsoft, historically, has extended things purely as a means of maintaining control. They don't actually enhance anything, they just attempt to maintain their monopoly. This appears to be yet another case of the same thing.

---

Get around the license ... ? (3)

Sehnsucht (17643) | more than 14 years ago | (#1096624)

Isn't it true that minors can't agree to such licenses, or something like that? If so, I could have my lil bro download and click, then I could copy the PDF elsewhere.. hehe

Re:Defeating Trade Secrets 101: (3)

dillon_rinker (17944) | more than 14 years ago | (#1096625)

I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.

I wouldn't do that. It's still copyrighted, and if you are associated with any group that "reverse engineers" the specs, whatever prodcut you create could get tied up in court for a long time. Distributing MS's copyrighted info could also get you into legal hot water.

Now, if you're up for some work, what you could do is rewrite the whole thing, while preserving the ideas - copyright doesn't cover that. Or you could tell people how to get this. But don't make yourself a target for MS's legal division; that's completely unnecessary.

can this be bypassed? (3)

Vlad_the_Inhaler (32958) | more than 14 years ago | (#1096626)

So what happens if someone in Usbekistan grabs the specs and puts them up on the net? Does this then make them publicly available and the person who did this liable for prosecution in a country that could not care less anyway?

The GPL (for instance) is routinely ignored in China so China would seem be another good candidate.

Why does this rule out a competing implementation? (3)

Loge (83167) | more than 14 years ago | (#1096631)

whilst making it completely impossible to implement in competiting implementations which implements their propietary protocol extensions

Huh? It looks to me like these conditions just specify what is required to gain access to the specification...I don't see anything that prohibits development competing implementation without Microsoft's consent. This agreement simply allows Microsoft to keep track of who sees the spec, nothing more.

You can speculate on how they use this information, and how they might react in the future when competing implementations do appear, but that has nothing to do with who can or can't implement the extensions themselves.

Oh (3)

jbarnett (127033) | more than 14 years ago | (#1096634)


Who would have thought that you could publish a trade secret on the web

Oh dam, I bet that is why I was fired from Coke-a-cola... it is all so clear now.

Re:Kerberos? Isn't it Cerebus? (3)

MPolo (129811) | more than 14 years ago | (#1096635)

"Cerberus" is the three-headed dog from Greek mythology, if you pass the name through a Latin filter first. (Latin doesn't use K much, and "us" is a more common ending in Latin.) If you try to be faithful to the Greek, which has Kappa Epsilon Rho Beta Epsilon Rho Omicron Sigma -- you get Kerberos.

"Cerebus", on the other hand, is an aardvark with an attitude, from the comic book of the same name, written and drawn by Dave Sim.

Posting the data is all well and good, but.... (4)

smartin (942) | more than 14 years ago | (#1096638)

What happens to the people that implement it (ie. the Samba guys) even if they obtain the information without intentionally breaking the license. Are they exposing themselves to expensive litigation? Are they endangering the project?

Ignore Microsoft's release, don't break license (4)

jonabbey (2498) | more than 14 years ago | (#1096639)

I don't get why everyone is advocating tricks to get around clicking 'ok' on the license agreement. Does anyone really think that a judge would uphold that dodge in court? 'Oh, you didn't know the license was there, so you accidentally used winzip rather than just double clicking on the executable'. I don't see this going over well.

The bigger issue here is that spreading stuff that Microsoft has indicated is not for distribution (and implementation) is no more morally respectable than someone ignoring inconvenient provisions in the Gnu General Public License. There may be a legal question as to whether anyone requires a license from Microsoft to implement any kind of spec, but taking the attitude that we have the right to take possession of their stuff is problematic at best.

We don't want people to get the idea that free software / open source software people are thieves, we want them to get the idea that we are better because we are willing to do hard work on our own.

Until a lawyer comes along and officially says that Microsoft's attempt at doing an orwellian double think specification release runs afoul of the law, leave this stuff alone.

Microsoft Instant Messenger (4)

ink (4325) | more than 14 years ago | (#1096640)

So open standards are passe, eh Microsoft?

Remeber the AOL vs. IM [slashdot.org] debacle? When AOL refused to allow IM to work with AIM, Microsoft wanted a standards agency to govern some sort of instant message standard. Well, well, well, now we have a real, open RFC standard [isi.edu] defining Kerberos, but do they want it?

This is typical Microsoft. They have some of the most excellent coders, and excellent people in other fields working there, but they also have some of the most selfish policies in the industry.

The wheel is turning but the hamster is dead.

The license is still all over the damn thing (4)

JPelorat (5320) | more than 14 years ago | (#1096641)

It's printed on every page. Extracting it from the file without reading that license gets you nowhere, cos the first paragraph says you have to have licensed it to read further. And then it's at the bottom of every page after that.

Extracting it from the cab file doesn't do you any good. It certainly doesn't let you bypass the license.

Loophole? (4)

SgtPepper (5548) | more than 14 years ago | (#1096642)

at least as great as the precautions you take to protect your own confidential information

Well hrm....what if I /don't/ take any precautions to protect my confidential information?

Or less crazy, what if the precautions I /do/ take aren't that great?

Just a thought...

Besides, shouldn't we be at least somewhat glad they did THIS. They didn't HAVE to. And yeah it's still stupid that they messed with Kerberos, but this is one step farther that they wouldn't have gone before.

So far they're acting better then nVidia.

Oooo, that's gonna piss someone off ;)

The freedom to innovate (4)

Croaker (10633) | more than 14 years ago | (#1096643)

Well, you got to give Microsoft credit. Their ability to reveal their additions to a perfectly good public standard in such a way as to remain propretary is certainly innovative.

Trade secret == open season (4)

seebs (15766) | more than 14 years ago | (#1096644)

Remember, you're allowed to try to *obtain* a trade secret, and once you do, if you haven't agreed to anything, it's no longer a secret.

Trade secrets enjoy very little legal protection, unlike other kinds of information. They can't sue you for infringement, for instance.

So, if someone is able to *extract* the information from the .exe, without running it or agreeing to anything, that's well and good.

Trade secrets are a poor form of "security".

Not for interoperability! (4)

MeanGene (17515) | more than 14 years ago | (#1096645)

The license states that

the Specification is provided...for the sole purpose of reviewing the Specification for security analysis.

And later: Microsoft does not grant you any right to implement this Specification.

I guess, if you want to make anything else out of it, you'd be in violation of everything and anything...

Ahhhh.... (4)

SvnLyrBrto (62138) | more than 14 years ago | (#1096647)

Anonymous computer time at Kinkos: $.20/minute...

Anonymous Geocities site to host the file: $0.00

The looks on Gates and Ballmer's faces as their "trade secret" is mirrored on thousands of sites worldwide....

... Priceless!

john

It's just a CAB file (4)

Sami (83769) | more than 14 years ago | (#1096649)

As most Microsoft's self-extracting files, this one is only a CAB file and therefore, you can simply use a program like WinZip [winzip.com] to extract the PDF document.

Will scrutiny of MS ever work? (4)

tjwhaynes (114792) | more than 14 years ago | (#1096650)

I'm amazed. Truely amazed. Given that nobody could be under any illusions at all that Microsoft was very much in the eye of the world at a time when the abuse of monopoly power has just been acknowledged by the courts, you would have thought that Microsoft would be on its best behaviour until the dust settled. But no.

And it's not just the Kerberos 'embrace and extend' play which has surfaced. The story going around about the Bill Gates 'smoking gun' memo on altering Windows 2000 apps to make life harder for people with Palm Pilots has also just appeared. A large part of the DOJ/ US States proposal is that MS be split up *and* be subjected to 3 years of scrutiny under fairly draconian terms. So the last thing that MS could possibly want is to make the need for scrutiny mandatory and yet this is, in all effective purposes, exactly what moves like this are liable to do - leave the courts/govt no choice except to constantly sit on the coat tails of MS and see where they are going.

Cheers,

Toby Haynes

Double Blind Reverse Engineer (4)

Kagato (116051) | more than 14 years ago | (#1096651)

It's not like companies don't get around this stuff all the time. It just takes a little more effort. You need to have a double blind. Basically doing the same thing that Compaq did with IBM's BIOS on the PC.

The first part is person to write a spec. This spec. should detail how you want something to work. "When the client does X the server should respond with Y". Etc. etc.

This person will have no other role. This person should not be associated with the developement of the MS extentions. Nor should he know any of the people who will be working on this.

His work should be handed to a third party who will deliver his spec to the developement team. Reverse engineering shall begin. It's a pain to do, but it is workable.

At any case there should be a nice stink made about this. I suggest that anyone who is a microsoft support customer contact your TAM or GTAM and let them know that this stinks.

Better than a patent (5)

Thagg (9904) | more than 14 years ago | (#1096654)

I don't blame you if you missed it during the DeCSS imbroglio, but this is so clear that it is unmistakable.

A way to get *permanent* protection over an idea or an implementation is to cause the secret to be leaked illegally.

Then, you sue everybody who implements the idea, at any time in the future, saying that they were inspired, or at least tainted, by the illegal release of the information. Trade secret laws do not allow the use of a secret if 'sufficient protections are taken'.

Previously, I had thought that a company would need a shill to do the publication of the secret; which is of course dangerous if the shill squeals. Microsoft has shown their ability to innovate here; publishing it as a secret sure to be 'improperly' released is a much better scheme.

thad

Re:Defeating Trade Secrets 101: (5)

Sloppy (14984) | more than 14 years ago | (#1096655)

I did NOT agree (nor did I even SEE) the license, and I now have access to the .pdf file. I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.

Surely you jest. If failing to read a license causes me not to be bound by it, then maybe I'll just download the Linux kernel code, ignore the license, and call it public domain. Then, if it's public domain (and no longer GPLed), I can compile it and distribute binaries without source.

The license exists, and not reading it has no effect on whether you are licensed or not.

The power of the license, on the other hand, is quite debatable.


---

Defeating Trade Secrets 101: (5)

iCEBaLM (34905) | more than 14 years ago | (#1096657)

1. Download the evaluation copy of winzip [winzip.com] if you don't already have it.

2. Download the dumb exe thing.

3. Open Winzip, and then open the exe WITH WINZIP.

4. Extract the PDF without agreeing to the license.

This is what I have done, I did NOT agree (nor did I even SEE) the license, and I now have access to the .pdf file. I will give copies of the .pdf file to anyone who asks, its public domain as far as I'm concerned.

-- iCEBaLM

Is "Kerberos" trademarked? (5)

Greyfox (87712) | more than 14 years ago | (#1096661)

If they're not conformant with a open and trademarked standard, they should not be allowed to say they are. Actually, even if it's not trademarked, I wonder if you could sue them for fraudulently misleading the customer into believing the OS will work seamlessly in their existing Kerberos network.

An easy way... (5)

GNUs-Not-Good (130016) | more than 14 years ago | (#1096663)

to keep it secret. Put the pdf file on an IIS server. No one will find it there because there are no IIS exploits.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...