Hacker News new | past | comments | ask | show | jobs | submit login

Is this really a security flaw from Microsoft, necessarily, or just a convention adopted that leads to a lot of accidental misdirection of traffic?

Don't get me wrong, making users be explicit is ideal, but this doesn't feel like it belongs in the same boat.




It's definitely a security flaw created by Microsoft.

A default/pre-filled value should be an acceptable value to use. By prepopulating "Corp", they implied that it was an acceptable value their customers could use.

What else would you think a prepopulated value would mean?

Fixing a flaw this big for what we assume is under $2 million seems like a bargain.


but they didn't pre-populate it. they used 'corp' within their instruction text as a placeholder for whatever the corporation wanted to use. from my understanding, nothing was pre-populated.


I'll give them a break if the text predates RFC2606 (1999) and the product hasn't been touched since.

> Confusion and conflict can be caused by the use of a current or future top level domain name in experimentation or testing, as an example in documentation, to indicate invalid names, or as a synonym for the loop back address. Test and experimental software can escape and end up being run against the global operational DNS. Even examples used "only" in documentation can end up being coded and released or cause conflicts due to later real use and the possible acquisition of intellectual property rights in such "example" names.

(emphasis added)


I don't know.

Meaning that in this case the MS customers are not "end customers", they are highly specialized (in theory) and highly paid (in practice) IT specialists setting up (part of) a complex (and security sensible) corporate network backbone such as Active Directory.


Except that this was also the default in SBS, a product specifically designed for a small business with little to no IT staff. (Why a small business that didn't have IT staff would bother with AD I do not know, but I believe the package also included an email server?)


Yep, but come on, any small business owner won't even know what AD is or why it should be used, and they would be convinced to use it by an external consultant (as well in theory belonging to the highly spoecialised and highly paid IT people).

This leaves us with only a part of small businesses (the ones where the owner let his daughter's son, or his cousin, which is "good at computers" manage their network).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: