Today at the Usenix Security Symposium, I’ll be an unannounced guest speaker in Dan Geer’s talk on “Vulnerable Compliance”. I’ll be talking about the challenges raised in fixing security bugs when they are found in network protocols. There will be two case studies. One is, of course, the SSL/TLS Authentication Gap, which happily over the last nine months has been patched by most vendors (including Microsoft).The other will discuss a potentially more serious issue with another commonly used protocol: NTLM (aka NTLMv2, MS-CHAPv2). NTLMv2 is the challenge-response protocol for performing MS Windows password authentication over the networks. It’s used any time a password needs to be provided to a Windows or Samba server and the client is not part of the Windows Active Directory domain. Often this happens implicitly (it can even be triggered by the attacker).

**Hidden Content: To see this hidden content your post count must be 1 or greater.**