e: Win NT Authorization problems... the *real* fix you are looking for.

David Collier-Brown davecb at Canada.Sun.COM
Mon Mar 23 12:50:36 GMT 1998

You said:
|  1) No sane administrator would want to defeat encrypted password by
| allowing clear text passwords in the registry if they didn't have to.

	Actually that's MS doing a ``Fear Uncertainty and Doubt'' on us...
in a previous life as a professional paranoid (security person), I
got asked why Unix (including B2 Unix) didn't obfuscate passwords 
passing across the net.

 	The answer is that the cost of obfuscating passwords was
only a little less than encrypting, passwords and data both, and
there weren't enough cycles available to encrypt the data.  So 
encrypting passwords but no the data the passwords protected was a
lov-value high-cost exercise.
	The MIT folks invented an elegant workaround, and
encrypted a challenge to be decrypted by the password, but did so
using (1) a dedicated fast server and (2) a willingness to let the
client (and its user) sit and wait.

	Now that we **DO** have enough cycles to encrypt everything, I
do.  I use Skip (http://skip.incog.com/), even on my wife's PC. It's
free and fast, and it encrypts everyting is an IPsec-oriented way.

	I used to refer to MS's scheme this as ``wearing steel glasses 
to protect your eyes in battle''.  You still get killed by bullets to 
the heart, and never know when to duck!

--dave (hmmn, didn't I just say that?) c-b

David Collier-Brown,  | Always do right. This will gratify some people
185 Ellerslie Ave.,   | and astonish the rest.        -- Mark Twain
Willowdale, Ontario   | davecb at hobbes.ss.org, canada.sun.com
M2N 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb

More information about the samba mailing list