Skip to Content.
Sympa Menu

ad-assurance - Re: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion

Subject: Meeting the InCommon Assurance profile criteria using Active Directory

List archive

Re: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion


Chronological Thread 
  • From: David Walker <>
  • To:
  • Subject: Re: [AD-Assurance] RE: Sorry for the NTLMv1/v2 confusion
  • Date: Fri, 21 Jun 2013 11:00:52 -0700
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=pass (signature verified)

As long as we're waxing philosophic, I wonder how long it'll be before enterprises realize that they have diminishing reason for putting a PC on everyone's desk (and, therefore, for running AD).  Enterprise services are increasingly available on the web for BYOD mobile platforms.  At some point, people will use enterprise-provided PC for not much more than legacy Windows applications (which probably won't include Exchange or maybe even Office).  At that point, those legacy applications will start looking pretty expensive.

(Yes, yes.  I know there are significant risks to BYOD, but I think we're doing it anyway.  And AD can be used to manage non-Windows platforms, but its utility for that drops off.)

David

On Fri, 2013-06-21 at 17:33 +0000, Rank, Mark wrote:
Ron:


"This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day."

 

I often wonder what would have happened if Ken Olsen would have hired a few more marketing and product strategy folks for DEC instead of all the engineers... ;)


Mark



--------------------------------------------------
Mark Rank
Project Manager - Identity & Access Mgt
UCSF Information Technology Services (ITS)
email:
phn:414-331-1476
--------------------------------------------------

From: [] on behalf of Ron Thielen []
Sent: Friday, June 21, 2013 10:13 AM
To:
Subject: [AD-Assurance] Sorry for the NTLMv1/v2 confusion



I apologize for nearly derailing the conversation.  While I still maintain that hash stealing attacks against NTLMv2 are irrelevant to Silver assertion if you can't use the hash to authenticate to a service that compromises the actual password (e.g. as long as Shib isn't using Windows authentication), the piece I confused was that NTLMv1 does actually pass the password.  So, a brute force attack on v1 does get you the actual password, not just a hash collision.

 

This just reinforces my conviction that the world would be a much better place without Windows.  If only IBM had chosen CPM instead of MS-DOS back in the day.  :-)

 

Ron






Archive powered by MHonArc 2.6.16.

Top of Page