“ According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which "actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs" to make them "exploitable." ... One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.”
—New York Times
Kinda wild hearing about anything even using MD4. I remember doing an MD5 attack in a security class like 20 years ago. Obviously that kinda what this whole article is about but literally the first time ever hearing "MD4".
"That's the crazy thing most of the security that active directory uses was built in the 90s or early 00s with windows nt. The have only really been patching it since, security is a great place to see really retro stuff
When you turn off the bad cryptography, the product becomes unusable.
The purpose of a system is what it does.
That quote would mean that the system being unusable without RC4 is exactly the point.
It doesn't mean that a system is what its makers intended for it to do.
Yes, that is precisely my point.
“ According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which "actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs" to make them "exploitable." ... One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.” —New York Times
Fair point, it just wasn't immediately clear to me :)
See perhaps recent story "Kerberoasting" about extracting encrypted service account credentials from Active Directory:
* https://news.ycombinator.com/item?id=45196437
Kinda wild hearing about anything even using MD4. I remember doing an MD5 attack in a security class like 20 years ago. Obviously that kinda what this whole article is about but literally the first time ever hearing "MD4".
Notably, those attacks aren't problematic in the setting MD4 is used in here (but the "outer" construction iterating it is deeply problematic).
"That's the crazy thing most of the security that active directory uses was built in the 90s or early 00s with windows nt. The have only really been patching it since, security is a great place to see really retro stuff
just like windows 11 gui, security on windows is like putting lipstick on a pig