There are so many problems with this article and the previous one it references (How weak passwords and other failings led to catastrophic breach of Ascension).

Specifically, RC4 is a stream cipher. Yet, much of the discussion is around the weakness of NTLM, and NTLM password hashes which use MD4, a hash algorithm. The discussion around offline cracking of NTLM hashes being very fast is correct.

More importantly though, the weakness of NTLM comes from a design of the protocol, not a weakness with MD4. Yes MD4 is weak, but the flaws in NTLM don't stem specifically from MD4.

Dan Goodin's reporting is usually of high quality but he didn't understand the cryptography or the protocols here, and clearly the people he spoke to didn't help him to understand.

EDIT: let me be more clear here. MS is removing RC4 from Kerberos, which is a good thing. But the article seems to confuse various NTLM authentication weaknesses and past hacks with RC4 in Kerberos.

▲

matthewdgreen 5 hours ago | parent [-]

Obviously RC4 itself isn't the problem. The problem is that Microsoft ships a "ciphersuite" that includes a bad password-based key derivation algorithm that also happens to be tied to a whole pile of bad cryptography. And the real, real problem is that Microsoft still ships a design in which low-entropy passwords can be misconfigured for use in encrypting credentials, which is a nightmare out of the 1990s and should have been completely disallowed in 2010.

But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this: https://www.microsoft.com/en-us/windows-server/blog/2025/12/...

▲

Someone1234 5 hours ago | parent | next [-]

> But I'm not going to get particularly picky if people identify the bad ciphersuite by the shorthand "RC4", because even Microsoft does this

Microsoft is actually talking about RC4 there, the article is conflating NTLM and RC4 things together.

▲

jmsgwd 4 hours ago | parent | prev | next [-]

Are you referring to Windows Kerberos here or NTLM?

▲

hnmullany 5 hours ago | parent | prev [-]

What are the bets that the NSA has been encouraging Microsoft to keep shipping this?

▲

Someone1234 4 hours ago | parent [-]

Low.

While the NSA would, absolutely, use it to elevate existing internal access - it is such low-hanging fruit that they have enough alternative tools in their arsenal that it isn't a particularly big loss. Most of their competent adversaries disabled it years ago (as has been best-practice since 2010~).

More likely, it is Microsoft's obsession with backwards compatibility. Which while a great philosophy in general has given them a black eye several times before vis-a-vis security posture.

▲

GuB-42 3 hours ago | parent | next [-]

Most importantly, the NSA is not just about spying, it is also about protection.

A weakness anyone can exploit in software Americans use is not a good thing for the NSA. If they were to introduce weaknesses, they want to make sure only they can exploit them. For instance in the famous dual_ec_drbg case where the NSA is suspected to have introduced a backdoor, the exploit depends on a secret key. This is not the case here.

On the other hand if Snowden has shown us anything, it is that the NSA is more stupid than it looks.

▲

pixl97 4 hours ago | parent | prev | next [-]

There are tons of old printers/copy machines that allow SMB access or AD auth that will never see a software update that will break.

Honestly I blame the copy machine manufactures for requiring service contracts for security updates on a lot of this.

	▲	thewebguyd 4 hours ago \| parent \| next [-]
		Those stupid MFD machines have been the bane of my existence as a sysadmin ever since I started in this career many, many years ago. It's these machines, plus a few really old windows-only apps deep in basement of enterprises that keep this old tech around. There's usually no budget to remedy, and no appetite to either from leadership Its also what happens when the people buying the tech are disconnected from the ones implementing. Microsoft caters to this.
	▲	immibis 3 hours ago \| parent \| prev [-]
		Just photocopy some currency. Depending on the machine, it has a good chance of bricking the machine with an obscure error code until a service tech comes out, at which point you can point out this machine is really old and why don't we get a new one. If you'd rather not commit attempted forgery, just print out some Wikipedia pages about the EURion constellation, which is what they detect in money. Joking, obviously.

▲

expedition32 3 hours ago | parent | prev [-]

Microsoft supporting something doesn't mean that you have to use it. There's something as personal responsibility.

	▲	like_any_other an hour ago \| parent [-]
		Do manufacturers also have personal responsibility for making safe products, or does it fall to consumers to become experts in the myriad different fields necessary to asses the safety of every product they buy?