On Thursday, lawyers for Andover.Net, the parent company of the Linux enthusiast site Slashdot, posted a response to a legal challenge posed by Microsoft lawyers last week over Kerberos. On the same day, the Massachusetts Institute of Technology announced it was working with Apple to ensure availability of Kerberos for the forthcoming Mac OS X operating system. And to top it all off, CERT warned of a Kerberos buffer overflow that could result in severe security problems for certain implementations.
The Kerberos protocol was developed by MIT in the mid-1980s as part of the school's Project Athena, and it later became an open standard championed by the Internet Engineering Task Force. A number of OS vendors have been moving to add Kerberos support because its authentication improves the security of client-server networking connections.
More hot water
Microsoft was one of those vendors that opted to add Kerberos Version 5 support to Windows 2000. Over the past two weeks, however, Microsoft decided to go after Slashdot, in its role as ISP, regarding a handful of postings that Microsoft claimed violated the nondisclosure agreements it required as part of the licensing terms for proprietary extensions it made to the Kerberos protocol.
On Thursday, Slashdot lawyers responded to Microsoft's request to pull the offending posts in an open letter posted to the Slashdot Web site.
"As a general matter, it is the policy of Slashdot not to interfere with or censor the communications of its users," stated the letter, signed by attorney Mark Robins. "Andover.Net is particularly concerned about censoring the user postings on which you have focused given their apparent relevance to issues in the current antitrust litigation between the Microsoft and the government."
The letter went on to comment on whether Microsoft has a legal right to attempt to trademark and protect proprietary extensions to a public protocol. Many Slashdot protesters have focused on whether Microsoft's demand that Slashdot remove posts that allegedly violate a non-disclosure agreement is an example of an abuse of the Digital Millennium Copyright Act.
A Microsoft official contacted for comment on the lawyer's note said the company had nothing further to say on the issue.
Security software with a security glitch
Apple is another OS vendor intrigued by the promises of Kerberos. According to a statement issued by MIT on Thursday, Apple and MIT are working together to insure that Mac OS X will fully support Kerberos. Mac OS X, Apple's next-generation OS, is expected to ship in January.
Like all security software, Kerberos itself isn't immune to security glitches. On Wednesday, the CERT Coordination Center issued a warning regarding at least four buffer overflow vulnerabilities in Kerberos Versions 4 and 5 (the latter in the Version 4 compatibility code). CERT noted that no Microsoft products were affected by the vulnerability, but NetBSD, among other products, is vulnerable.
"The most severe vulnerability allows remote intruders to gain root privileges on systems running services using Kerberos authentication. If vulnerable services are enabled on the Key Distribution Centre (KDC) system, the entire Kerberos domain may be compromised," the advisory warned.
By Thursday, CERT had posted a number of patches to its site that addressed most of the problems.
Additional reporting by Sm@rt Reseller security columnist David Raikow.
