back to article Redmond may buy security company it says is wrong about AD flaw

Microsoft is reportedly in talks to buy Israeli security firm Aorato for $200 million after this week pouring cold water on its claim to have discovered a critical flaw in Active Directory. Aorato was founded by former Israeli Defense Force hackers and offers products that detects attacks on against Active Directory. As …

Silver badge
FAIL

So

The accountants think it would cost more than $200M to fix the bug you mean.

Why debug when you can bury more cheaply.

16
0
Silver badge
Thumb Up

Re: So

Exactly my first thought.

Nice to know others can be just as right wrong as I can :)

0
0
Silver badge
Trollface

Aorato was founded by former Israeli Defense Force hackers and offers products that detects attacks on against Active Directory.

Once detection occurs, their program immediately dispatches a couple of viral assassins using fake UK credentials while logic bombs are dispatched to the general subnet of the attackers. Mom & pop PCs caught up in the destruction are invited to visit the webiste of the company where they are then denigrated as "collateral damage that only has got itself to blame" and other far more odious words. Meanwhile, subsidies are automatically transferred by Western Union money transfer from selected bastion of Washington D.C. to support "this plucky company that fights for its existence".

13
5
Silver badge

In your Face Laundries

Quite so, Destroy All Monsters. Another phantom money transfer to help keep the ponzi of free trading stock markets churning and not failing immediately?

2
2
Anonymous Coward

More like: Their program immediately illegally occupies territory that previously belonged to another program, and begins to slowly occupy the neighbouring space - whilst placing other programs resources under siege - and killing them when it thinks no one is looking...

4
3
Anonymous Coward

Or upgrade

What are you still using NTLM in your environment for anyway? Upgrade to 2012 AD and get rid of it.

1
4
Silver badge

Re: Or upgrade

Yup, I'll just run that Server2012 upgrade for my clients for free. Oh, hold on, Server 2012 *costs money*. As does my time, and the companies downtime while I do it.

Moron.

7
1
Anonymous Coward

Re: Or upgrade

"Yup, I'll just run that Server2012 upgrade for my clients for free"

It's covered under Software Assurance.

"and the companies downtime while I do it."

What downtime? Upgrading AD doesnt require downtime.

0
4
Silver badge

Re: Or upgrade

Yup, because software assurance is free. Fuckwit.

And as for AD upgrades not requiring downtime - that's a dubious statement at best. Especially in the SoHo-SMB space where you're unlikely to have multiple servers to balance out the load while the operating system upgrade is ongoing - and that's after you've moved any data shares, exchange, etc off the server(s) you need to upgrade. Because new servers aren't free either.

Typical MS (as it's pretty much established that AC is a shill - or just utterly deluded) - absolutely no concern for anyone but the enterprise.

Steven R

3
0

This post has been deleted by its author

Anonymous Coward

Re: Or upgrade

"Yup, because software assurance is free. Fuckwit."

Support / maintenance obviously isnt free - but you have to be retarded not to take it - so do you mean you didnt sign them up for SA? In which case as we now see, you are the fuckwit...

"that's a dubious statement at best. Especially in the SoHo-SMB space where you're unlikely to have multiple servers to balance out the load while the operating system upgrade is ongoing -"

The minimal number of AD servers you should ever have in a domain is 2. Fullstop. If you have only one in any environment then thats a problem in itself.

0
2
Silver badge

Re: Or upgrade

Guess what, you fucking numpty - most SMBs have one or two Window servers and little more, and that still requires downtime when you have to upgrade a server to 2012 to improve the AD level because most of them don't have a seperate server to host their data/exchange/AD environments because they can't afford to have 2 servers + hot spare. This is true of most SMB environments where no amount of telling them will encourage them to spend more than £3000 on critical infrastructure because IT is a cost centre as far as they are concerned. They'd rather spend that money on staff, office chairs, transport budget etc as they tend not to have money leaking out of their rectums.

And oddly, most clients don't believe that $$$/PA for SA is worth it when they'll likely upgrade their OS when they replace the server(s). Because they can't afford to just throw money at the OS whenever MS have decided they can't be arsed to fix an actual problem.

Pull your head out of your arse AC, you stink of fetid shit, and everyone knows it but you. When you don't have a minimum five figure IT budget per year, this stuff matters.

1
0

Re: Or upgrade

"It's covered under Software Assurance."

And what about the labour for planning, testing, deploying and such?

0
0
Silver badge

Re: Or upgrade

Maventi, don't be silly, a wizard will do it for you at no cost and it will all just work by magic.

Steven 'not sarcastic in the slightest' R.

0
0
Anonymous Coward

Um

Is it a flaw in Kerberos or Microsoft's implementation?

2
1

Re: Um

It's more of a feature - essentially it is a negotiation "I can't do Kerberos", "OK, use this instead", where the alternative is known not to be bullet proof. As another poster has already commented you're given choices about the default security level as pat of the installation and it is explained that the backwards-compatible alternative is less secure. Really the only substance I can see is the lack of proper logging.

1
0
Anonymous Coward

Re: Um

Microsoft's implementation

2
1

Re: Um

Of course it's Microsoft's implementation. They never understood Kerberos.

NTLM junk should have been sacked at least a decade ago.

0
3
Anonymous Coward

Re: Um

"They never understood Kerberos.

NTLM junk should have been sacked at least a decade ago."

Erm - but it has been. And NTLM has nothing whatsoever to do with Kerberos. Please comment only on things you actually understand.

1
0
Silver badge
Big Brother

Hushdear

Here's a little something, have a holiday, have a lovely time and forget about all this nonsense eh.

3
0
Silver badge

NTLM Authentication

You mean the authentication method you have to manually turn on for an AD Domain/Forest set to Windows 2000-native functional level or higher. So unless you are still running NT4 or haven't bothered to properly configure Active Directory, you're in the clear.

0
2
Big Brother

Well-understood limitation of Microsoft Kerberos?

"Redmond has since pointed out the attack was a well-understood limitation of Kerberos and referred punters to documentation about how to prevent the attack"

ref: That would be Microsoft Kerberos, the one that's incompatible with MIT Kerberos.

ref: 'We consider the fact that attackers can change the victim’s password by only knowing the NTLM hash to be a flaw. If this flaw is by design, this simply makes it a “by-design” flaw.'

1
2

Re: Well-understood limitation of Microsoft Kerberos?

That would be Microsoft Kerberos, the one that's incompatible with MIT Kerberos.

Fair's fair... that isn't really true. There's a difference between vendor-specific extensions and breaking compatibility. We have Windows machines authenticating against MIT Kerberos and indeed vice versa. Windows does need a little fettling since it regards that as an inter-realm relationship (because of the lack of those extensions) but they will interoperate. It's pretty much essential if you want Windows and Unix systems to interoperate in anything like a seamless manner with common user accounts on each.

2
0
Anonymous Coward

Re: Well-understood limitation of Microsoft Kerberos?

"That would be Microsoft Kerberos, the one that's incompatible with MIT Kerberos."

No it isn't - extensive testing was done while I worked for a large investment bank and there are no compatiblity issues - at least with replacing MIT wth the Microsoft flavour anyway.

0
0
Big Brother

Re: Well-understood limitation of Microsoft Kerberos?

They're either compatible or they're not, as in can you drop in non-ms-kerberos and get identical functionality - answer NO.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017