Redmond may buy security company it says is wrong about AD flaw Microsoft is reportedly in talks to buy Israeli security firm Aorato for $200 million after this week pouring cold water on its claim to have discovered a critical flaw in Active Directory. Aorato was founded by former Israeli Defense Force hackers and offers products that detects attacks on against Active Directory. As …
Aorato was founded by former Israeli Defense Force hackers and offers products that detects attacks on against Active Directory.
Once detection occurs, their program immediately dispatches a couple of viral assassins using fake UK credentials while logic bombs are dispatched to the general subnet of the attackers. Mom & pop PCs caught up in the destruction are invited to visit the webiste of the company where they are then denigrated as "collateral damage that only has got itself to blame" and other far more odious words. Meanwhile, subsidies are automatically transferred by Western Union money transfer from selected bastion of Washington D.C. to support "this plucky company that fights for its existence".
Yup, because software assurance is free. Fuckwit.
And as for AD upgrades not requiring downtime - that's a dubious statement at best. Especially in the SoHo-SMB space where you're unlikely to have multiple servers to balance out the load while the operating system upgrade is ongoing - and that's after you've moved any data shares, exchange, etc off the server(s) you need to upgrade. Because new servers aren't free either.
Typical MS (as it's pretty much established that AC is a shill - or just utterly deluded) - absolutely no concern for anyone but the enterprise.
Steven R
This post has been deleted by its author
"Yup, because software assurance is free. Fuckwit."
Support / maintenance obviously isnt free - but you have to be retarded not to take it - so do you mean you didnt sign them up for SA? In which case as we now see, you are the fuckwit...
"that's a dubious statement at best. Especially in the SoHo-SMB space where you're unlikely to have multiple servers to balance out the load while the operating system upgrade is ongoing -"
The minimal number of AD servers you should ever have in a domain is 2. Fullstop. If you have only one in any environment then thats a problem in itself.
Guess what, you fucking numpty - most SMBs have one or two Window servers and little more, and that still requires downtime when you have to upgrade a server to 2012 to improve the AD level because most of them don't have a seperate server to host their data/exchange/AD environments because they can't afford to have 2 servers + hot spare. This is true of most SMB environments where no amount of telling them will encourage them to spend more than £3000 on critical infrastructure because IT is a cost centre as far as they are concerned. They'd rather spend that money on staff, office chairs, transport budget etc as they tend not to have money leaking out of their rectums.
And oddly, most clients don't believe that $$$/PA for SA is worth it when they'll likely upgrade their OS when they replace the server(s). Because they can't afford to just throw money at the OS whenever MS have decided they can't be arsed to fix an actual problem.
Pull your head out of your arse AC, you stink of fetid shit, and everyone knows it but you. When you don't have a minimum five figure IT budget per year, this stuff matters.
It's more of a feature - essentially it is a negotiation "I can't do Kerberos", "OK, use this instead", where the alternative is known not to be bullet proof. As another poster has already commented you're given choices about the default security level as pat of the installation and it is explained that the backwards-compatible alternative is less secure. Really the only substance I can see is the lack of proper logging.
"Redmond has since pointed out the attack was a well-understood limitation of Kerberos and referred punters to documentation about how to prevent the attack"
ref: That would be Microsoft Kerberos, the one that's incompatible with MIT Kerberos.
ref: 'We consider the fact that attackers can change the victim’s password by only knowing the NTLM hash to be a flaw. If this flaw is by design, this simply makes it a “by-design” flaw.'
That would be Microsoft Kerberos, the one that's incompatible with MIT Kerberos.
Fair's fair... that isn't really true. There's a difference between vendor-specific extensions and breaking compatibility. We have Windows machines authenticating against MIT Kerberos and indeed vice versa. Windows does need a little fettling since it regards that as an inter-realm relationship (because of the lack of those extensions) but they will interoperate. It's pretty much essential if you want Windows and Unix systems to interoperate in anything like a seamless manner with common user accounts on each.
"That would be Microsoft Kerberos, the one that's incompatible with MIT Kerberos."
No it isn't - extensive testing was done while I worked for a large investment bank and there are no compatiblity issues - at least with replacing MIT wth the Microsoft flavour anyway.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
