Comments on: Is Novell Ignoring Critical Security Problems? http://techrights.org/2008/06/01/novell-security-vanity/ Free Software Sentry – watching and reporting maneuvers of those threatened by software freedom Tue, 07 Feb 2012 14:00:35 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Roy Schestowitz http://techrights.org/2008/06/01/novell-security-vanity/comment-page-2/#comment-39152 Roy Schestowitz Sun, 23 Nov 2008 23:23:25 +0000 http://boycottnovell.com/2008/06/01/novell-security-vanity/#comment-39152 <blockquote> sounds more like a WindowsXP exploit to me… </blockquote> Ah. The blame game again.

sounds more like a WindowsXP exploit to me…

Ah. The blame game again.

]]> By: Jose_X http://techrights.org/2008/06/01/novell-security-vanity/comment-page-1/#comment-39093 Jose_X Sun, 23 Nov 2008 20:48:36 +0000 http://boycottnovell.com/2008/06/01/novell-security-vanity/#comment-39093 >> sounds more like a WindowsXP exploit to me… If it's accurate, I don't see how that could be anything but a network auth issue. Kerberos (to take an example and assuming it's configured properly) won't allow you to use any services if you can't authenticate with each server providing the service. You can't get the initial auth tickets if you never provided the correct password in the beginning. So Kerberos, short of bugs or some other failure, would not have this problem no matter what the client did... a.... OK, I take that back partially. If the client is compromised with inside information from the server (ie, a server breach happened already, possibly due to leaked information from insiders), then that client can compromise the system as described if so programmed. Essentially, this means whoever compromised the client knows the admin passwords (or whatever info is needed) so that the client at login can work on your behalf to pull off this "trick". Of course, the method described can't happen if the auth server info is secure no matter what a rogue client does.. unless the protocol or the implementation are faulty, which is, I think, what is being suggested is the case here for Netware. >> sounds more like a WindowsXP exploit to me…

If it’s accurate, I don’t see how that could be anything but a network auth issue. Kerberos (to take an example and assuming it’s configured properly) won’t allow you to use any services if you can’t authenticate with each server providing the service. You can’t get the initial auth tickets if you never provided the correct password in the beginning. So Kerberos, short of bugs or some other failure, would not have this problem no matter what the client did… a….

OK, I take that back partially. If the client is compromised with inside information from the server (ie, a server breach happened already, possibly due to leaked information from insiders), then that client can compromise the system as described if so programmed. Essentially, this means whoever compromised the client knows the admin passwords (or whatever info is needed) so that the client at login can work on your behalf to pull off this “trick”.

Of course, the method described can’t happen if the auth server info is secure no matter what a rogue client does.. unless the protocol or the implementation are faulty, which is, I think, what is being suggested is the case here for Netware.

]]> By: Dan O'Brian http://techrights.org/2008/06/01/novell-security-vanity/comment-page-1/#comment-11554 Dan O'Brian Sun, 01 Jun 2008 22:57:36 +0000 http://boycottnovell.com/2008/06/01/novell-security-vanity/#comment-11554 sounds more like a WindowsXP exploit to me... sounds more like a WindowsXP exploit to me…

]]> By: Roy Schestowitz http://techrights.org/2008/06/01/novell-security-vanity/comment-page-1/#comment-11522 Roy Schestowitz Sun, 01 Jun 2008 16:48:37 +0000 http://boycottnovell.com/2008/06/01/novell-security-vanity/#comment-11522 Now talking on #boycottnovell * heinlein.freenode.net sets mode +n #boycottnovell * heinlein.freenode.net sets mode +s #boycottnovell * #boycottnovell :[freenode-info] if you need to send private messages, please register: http://freenode.net/faq.shtml#privmsg Now talking on #boycottnovell
* heinlein.freenode.net sets mode +n #boycottnovell
* heinlein.freenode.net sets mode +s #boycottnovell
* #boycottnovell :[freenode-info] if you need to send private messages, please register: http://freenode.net/faq.shtml#privmsg

]]> By: patenttrollssuck.exe http://techrights.org/2008/06/01/novell-security-vanity/comment-page-1/#comment-11519 patenttrollssuck.exe Sun, 01 Jun 2008 16:15:46 +0000 http://boycottnovell.com/2008/06/01/novell-security-vanity/#comment-11519 roy, any word on #boycottnovell @ freenode IRC? =) roy, any word on #boycottnovell @ freenode IRC? =)

]]> By: Uncle_Sam http://techrights.org/2008/06/01/novell-security-vanity/comment-page-1/#comment-11517 Uncle_Sam Sun, 01 Jun 2008 15:59:04 +0000 http://boycottnovell.com/2008/06/01/novell-security-vanity/#comment-11517 Only thing MS has done is write software/technology/specifications that works only on their platform. Milk it all you can. Only thing MS has done is write software/technology/specifications that works only on their platform. Milk it all you can.

]]>