Microsoft attempts to censor Slashdot

Posted 11 May 2000 at 15:08 UTC by JHM Share This

Microsoft has serviced notice to Andover demanding the removal of comments made by Slashdot readers.

As the Godwin quote at the Freenet site goes:

"I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?'

Read Slashdot's coverage of a Microsoft attempt to censor their poster's comments under the DMCA while you still can...

Comments; type thereof, posted 11 May 2000 at 15:26 UTC by sneakums » (Journeyer)

The comments they want removed are of three basic categories:

  1. Comments containing copyrighted material, their Kerberos PAC spec
  2. Comments linking to copies of same
  3. Comments they just don't like

The comments falling into category one are the only ones they could "reasonably" require the removal of. Since the PAC spec's non- distributable status is clearly outlined when you run the .EXE they provide, and on every page of the spec, they seem to have a case here.

Comments falling into categories two and three should remain. They may not be agreeable to Microsoft, but then again, I don't like everything everyone says to me either.

The important thing, posted 11 May 2000 at 16:10 UTC by tjl » (Journeyer)

As many people have already agreed, Slashdot should probably remove the actual copies of the copyrighted material.

However, that's not the important thing here. The important thing is to make sure that in the ensuing media coverage, "our" message gets to play a big part. What is "our" message? Our message is that Microsoft tried to make the protocol inoperable for other than their servers. They tried to make use of their monopoly to shut out other OSes.

We have to play the PR game, too. PR and propaganda transform peoples' opinions. Peoples' opinions transform reality (e.g. by making someone put money into system X instead of Y).

"Our" message, posted 11 May 2000 at 18:18 UTC by lilo » (Master)

All I'll add is to comment that for many of us, "our" message includes the concept that rigid enforcement of copyright protection on the Internet will have extremely negative effects on free speech, technical and otherwise, which makes the Digital Millenium Copyright Act a real problem for the Internet community in general and hackers specifically.

kerberos pac, posted 11 May 2000 at 18:33 UTC by lkcl » (Master)

there is an approximately 10-year-old precedent for overloading the application-specific field with "user profile" information in exactly the same way that microsoft has done, in the (now TOG) DCE/DFS implementation that uses kerberos.


because the authentication works like this: you send a kerberos-request encapsulated over SMB [as per the kerberos rfc 1510 spec, to which even the MIT krb-srv does not conform as it was written *during* development]. the response contains, from the microsoft krb5-srv, a user profile. i.e. home dir, user sid, array-of-group-rids [all equiv. to NIS / NIS+ info]. all of this is done with *minimal* packet-transfers, and it's signed and sealed, so you can guarantee that it's definitely the right server that gave you that info.

alternative implementation: you send a kerberos-req to a non-PAC-returning-krb-srv, which gives you a "yes/no"-style answer to your authentication request. _now_ you drop that connection, and go off an do some weird stuff to find the user profile. you use the krb-session stuff to do a sign/seal to *exactly* the same server that just authenticated you, to obtain the bits of information that you didn't get when you first contacted it.

this seems totally crazy, to me. a *far* more efficient approach is to just say, "hi, is this user's password right, and if so, give me their account info so i can log them in straight away".

anyway, don't worry about it. one of the provisions of the DCMA is that "security and anti-virus" firms are exempt, in order to make "security assessements".

additionally, the members of the samba team are good enough at examining and decoding network data to not *need* microsoft's damn 1000lb-weight-for-a-floatation-device assistance, thank you very much.

DMCA circus comes to California, posted 11 May 2000 at 21:43 UTC by dmarti » (Master)

Rachel Chalmers wrote, "A second round of public hearings will be held on May 18-19 at Stanford University in California. It's safe to expect further protests from the politically active Linux user groups in that region."

You think so?

choleric, posted 14 May 2000 at 09:00 UTC by mbp » (Master)

Here's an interesting theory

I have a huge amount of respect for the talent and determination of the Samba team, and the utility of their products. At the same time I think it's incredibly wrongheaded to be ambivalent about proprietary and freedom-reducing software and laws because you can work around them. Luke, if we allow things like this to go ahead, then the next step will be that your reverse engineering will *itself* be illegal.

Re: choleric, posted 15 May 2000 at 05:48 UTC by lkcl » (Master)

hi mbp,

firstly, we don't do reverse engineering, we do network black-box analysis [which you can call network-reverse-engineering if you like]. multiple actual machines, or multiple vmware sessions, using packet tracing and staring at data on-wire or virtual-wire.
secondly, reverse engineering of copyright, proprietary material, including closed-source "security" algorithms, is already outlawed in the us under the DCMA *except* by security and anti-virus companies.

i worked for ISS X-Force for eighteen months: arrangements were made through political lobbying during the law-negotiation stages to allow ISS and other such companies to legally carry out an analysis of a program, in the absence of cooperation from the suppliers of said program, even though it may be in the best interests of aforementioned suppliers and much more importantly than any such stupid supplier, their customers.

Re: choleric, posted 15 May 2000 at 06:19 UTC by lkcl » (Master)

p.s. thx 4 support, martin.

p.p.s. interesting theory. i have an alternative, similar theory. microsoft knows *full* well that their security-stuff [in particular, MS-CHAP, aka NTLMv1 and how it is used in NTLMSSP, see ISBN 1578701503 appendix a for details of protocols] is... well... a piece of shit: the 128-bit encryption isn't, it has 64-bit brute-force bottlenecks. there are places where 64-bit random keys are supposed to be exchanged: they are truncated to 40-bit, padded with zeros. there are password-updates to random values on a regular basis that have an initial well-known value *and use the old value to encrypt the new one*. i count approximately five or more places where RC4 is used *with the same damn key*: two of these are MD4(Administrator's password). another of these is the same damn RC4 key to encrypt an *entire set of user password hashes*! i mean, how fucking stupid can you GET! using the same RC4 key to encrypt absolutely everyone's clear-text-equivalent password hashes, and then shipping them all in clear-text over-the-wire??? the best of it is, some of these password hashes are blank. all you hakrz who have been doing that RC4 implementation stuff: you should get the implications of this one *real* quick.

the point is that their lawyers have advised them that they *can't tell anyone about this*. why? because their major corporate customers would go absolutely insane and start suing them down to the bedrock and then stripping *that* as potential assets to auction, too.

so, how in hell's name do they get out of this kind of god-awful, stupid mess, especially as the longer they leave it, the worse the potential law-suit costs get. simple: they make sure that the info leaks, somehow. by either *not* pursuing some alternative implementation of their "proprietary" technology; by privately supporting and helping third-party vendors that are not a real threat, in market-sales / monetary terms, to their [perceived] market dominance, microsoft can ensure that the information, which they have correctly assessed as a nightmare liability, becomes public knowledge by accident. they can then choose to publish it at some later date [with, of course, the Blessing Of Their Lawyers] and have some breathing space to replace it with better, New, Improved Shit.

because they still don't learn.

because they still want to Rule The Marketplace, and the world.

because they still think that they know it all and have world dominance on all the security experts and intelligence and number-of-eyes in the world.

they'll get it, eventually: forced upon them [hopefully by the DoJ] or with hindsight as the geologists move in to evict them, which will be most unfortunate as it's the ordinary people - the same ordinary people who keep getting hit by VBS script-viruses on a tedious, monotonous fucking basis - who will suffer most.

p.p.p.s ms *is* right about the copyright violations, no two ways about that.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page