Lead with Knowledge

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

Home  //  Article
Print Article    Email Article
Window Manager
Brian Livingston
Three-headed dog bites Microsoft: Readers respond to Kerberos confusion

I WROTE IN MY May 15 column that Microsoft had modified the Kerberos security standard (see "000515oplivingston.xml"). After the changes, Windows 2000 Professional clients could exchange needed authorization information only with Windows 2000 Servers -- not with servers running other operating systems.

Kerberos was named after the mythological three-headed dog that guards the gates of Hades. The security protocol was developed as an open standard at MIT in the early 1990s. It is widely used in Unix and other networks for single sign-on authorization of users.

It seems that this dog still has teeth, judging from readers who responded to my invitation to send in their opinions.

Reader Rich Sidney spoke for many when he said that Microsoft may have violated the license for Kerberos by claiming its changes are a trade secret. "By (1) failing to document the changes to the interface, (2) publishing the change under a closed, proprietary 'trade secrets' license, and (3) not communicating their requirements and changes to the open-source product owner for inclusion in newer versions, they have actually broken the license agreement under which open-source software is published and released," Sidney writes.

Microsoft's claim that its changes to the Kerberos standard are "trade secrets" bothered many people. Microsoft made this assertion although it had posted a document about the modifications on its Web site for anyone to download. (Go to to get a copy.)

The document you download from Microsoft's Web site is contained in a self-extracting .exe file. If you run this file to decompress the document, you must first click OK to accept a "nondisclosure agreement." Anyone who uses WinZip to open the self-extracting file, however, never sees this agreement and never agrees to anything.

The question of how a document posted on a Microsoft Web site can be called "secret" has turned this story from merely strange to truly bizarre. Microsoft is now threatening to sue a popular Internet news site, Slashdot, if it doesn't remove messages from several readers that include the same document Microsoft posted for all to see.

In a message dated May 10 to Slashdot's parent company,, Microsoft representative J.K. Weston wrote: "We request immediate action to remove the cited violations from Andover's servers, in accordance with the provisions of the Digital Millennium Copyright Act [DMCA] of 1998." (For the full text of Microsoft's letter, see

The DMCA allows companies to demand the immediate removal of copyrighted material from online sites.

Critics claimed this amendment would be used to censor fair use of materials that the public has a legitimate interest in. Microsoft may make Slashdot the first test of this theory.

Andover attorney Mark Robins responded to Microsoft on May 18. "How can Microsoft use the Kerberos name, which signifies an open standard protocol, in connection with a proprietary protocol?" Robins asks.

Furthermore, "How can Microsoft claim trade secrecy for a protocol that is distributed over the Internet?" (See

Aside from Microsoft's claim that a document it posted is a secret, some readers question whether its version of Kerberos is even that secure.

"Any machine offering a service using Kerberos validation [including print and file servers] holds the secret key," writes reader Milan Merhar.

Similar to Kerberos servers themselves, print and file servers that hold the key "must also be in a physically and access-secure area. Knowing the ad hoc way that Windows NT networks often grow, the requirement to isolate and secure print and file servers may be a big surprise to most system administrators," Merhar writes.

Doug Munsinger feels the solution is to "require Microsoft to publish each and every Windows and Office API before it is implemented in any product."

It's interesting to note that the Department of Justice's recommended "conduct remedies" would require this. If Judge Thomas Penfield Jackson decides to impose these remedies, would they apply to Kerberos? I guess we'll find out.

Readers Sidney, Merhar, Munsinger, Randall Hansen, and Richard Hecker will receive free copies of Windows 2000 Secrets for sending me tips I used in this column.

Don't miss a column, get it via e-mail

Now you can get this column free via e-mail. Go to and click Window Manager to sign up.


Operating Systems

SUBSCRIBE TO:    E-mail Newsletters  InfoWorld Mobile InfoWorld Magazine
Home  //  Article Print Article    Email Article
Back to Top


Introducing Primus Quick Resolve. Click to download a fact sheet.
Download the J.D. Edwards CRM white paper. Visit
Gateway: Your Reliable IT Provider of Business Technology Solutions
Learn to secure your PCs from new and unknown hacker attacks.
Get FREE Hurwitz Report: Control Your App Dev Costs with TogetherSoft!

E-mail Newsletters
InfoWorld Mobile
Print Magazine

Web-based training

Copyright 2001 InfoWorld Media Group, Inc.