THANK YOU Europe! (and um… Microsoft)

Eric Monti | February 22nd, 2008 | Filed Under: Bitching About Protocols, Industry Punditry

If you do any kind of info security work or FOSS integration with windows and other Microsoft products, go and bookmark this link now!

By this time, I imagine everybody has heard about Microsoft’s new “Interoperability Initiative” announcement yesterday and all the buzz surrounding it. Lots of nay-saying about the actual level of openness coming out of Redmond, which is to be expected as par for the course. But… have you actually READ any of the references they published???

Whether this is as complete as it could be is probably still debatable to an extent. As somebody who’s got some experience reversing Microsoft protocols, I have to say from skimming the site, it looks like the lions share of transparency the FOSS and security communities have been calling for for a long time now. Given some more time, even I will inevitably nitpick about the things that aren’t included or are “under-included” in this reference material. Off the bat, for example, there seems to be little if any information on SQL Server and similar tertiary MS technologies.

But this is definitely a huge step by Microsoft. I really hope they will keep all of this material up to date and keep it coming where there are gaps. Something tells me they probably will.

So… credit where credit’s due. Microsoft definitely gets kudos for this. The nay-sayers claiming “we’ve heard that one before” appear to be dead wrong this time. My natural instincts would normally be to join them, but the evidence is to the contrary. In the spirit of my fairly blatant and deep-seeded prejudices, I will still at least proclaim “It’s about freaking time, Redmond!”. Oh and while I’m being snide… that stuff about not suing some of us is real sweet to hear from Ballmer too…

Still, my gold kudo ultimately goes to the EU. The whole episode definitely affirms that our government representatives in the US never put any real teeth on our MS anti-trust struggle over the past decade and that they really should have a long time ago. As we’ve seen in the last number of years with MS’s increased security transparency initiatives, I think it will become even more apparent that increased transparency has never been contrary to corporate interests either.

Anyway politics aside… Deep down, while skimming the site, I’m feeling a little like Wiley Coyote in the ACME factory after closing time.

As soon as I got wind of the release, I made a bee-line right for this documentNTLMSSP/NTLMv2 token exchanges being a subject near and dear to me during several projects a few years back. I think this is an example of where the new references, accessibility, and toning down of the “suing” rhetoric may bear fruit.

Now that MS seems to have admitted that it is “legal” to do so (more sarcasm) we may for example see Firefox and other open browsers fully implement NTLMv2 authentication blobs to get along with IIS webserver authentication. On the flip side, people might start using NTLM under Apache to integreate with their Windows domains and/or directories (I seem to recall a 3rd party module or two out there that even does this already). NTLMSSP is goofy, sure. Don’t get me wrong. I still dislike NTLM, it’s just that I got pretty “close to it” for a while there. For all the troubled past and arguable nastiness, NTLMv2 challenge/response handshakes over HTTP are at least a better alternative to Basic Auth (at least somewhat comparable to Digest). Sure, there are some really gross flaws in the crypto, arguably some information leakage… but on the plus-side there are tons of IE browsers out there all ready to actually start using it if it actually becomes relevant by working elsewhere other than just IIS.

A little background: Even though for some time, this has been considered “conquered territory”— lots of FOSS implements it to varying degrees (as evidenced by the Wikipedia entry) — NTLMv2 and NTLMSSP are still and have long been Microsoft inventions that are not terribly well understood by “the rest of us”. This is mostly due to the lack of documentation out of Redmond. Before it was “deprecated” by Active Directory/Kerberos, Microsoft cobbled NTLM/NTLMv2 into all sorts of protocol implementations. Examples include CIFS (where it’s rooted), MS-SQL, POP3, IMAP, HTTP, SMTP, even Telnet for jebus’ sake! The list goes on. To many, it would be an understatement to say that Microsoft has historically leveraged NTLM to attain a degree of ill-gotten market dominance through incompatibility.

NTLMSSP is still relevant in the AD/Kerberos world for that matter. Probably in order to save themselves the hassle (irony), MS decided to leverage much of the basic NTLMSSP token structure and protocol semantics for when AD/Kerberos message exchanges came around. You’re still pretty likely to see NTLMSSP blobs in and out of Base64 packaging in many MS protocol implementations — regardless of whether you’re using Kerberos or still downwardly compatible.

In the past, incorporating or implmenting NTLMv2 (let alone “correctly” whatever that was) was a pretty big hassle. Just deciphering those NTLMSSP NegotiateFlags was cause of considerable grief. The worst part was wondering whether and which of the “unused” bits were “really unused”. Now, seeing all those bits laid out and documented in their entirety outside of a Samba or MS-SDK C header this way gets me a little dizzy. There was, I admit, a masochistic kind of pleasure in cobbling together and in some cases reversing the information from various sources back then — like discovering new frontiers or something. But yeesh… I think my rational side ultimately wins out on that kind of nostalgic waxing. Yea, enough of that crap! It’s time to move on.

So… in conclusion:

Keep it up MS and… <cough>… thank you!

I’m pretty sure MS wont regret this, either. I hope the old-guard holdouts out there (yes that includes YOU, Apple… Cisco…) pay very close attention over the weeks and months to come.

Viewing 6 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus