wizardbeard

Sure, the way I worded that is. Especially when divorced from the rest of that section.

But I hope it is clear from the rest of that section that I'm drawing a line to separate the idea of CIS = majority default vs. the attitude that CIS is the only valid option.

CIS being the majority default is just reality. Statistics.

CIS being the only valid option is bullshit.

When distilling concepts like that into the shorter statement "cisnormativity is a problem", I feel that nuance is lost. The almost immediate follow up question is "Do you have a problem with CIS people being the norm/majority default, or do you have a problem with the fact that they are the norm/majority default is being used by some to suppress the validity of other options?"

being born into a little seed cash and enough comfort to go a while without working a straight job. As Julie says when someone repeats that Amazon was started in a garage: Ain't no garages in the trailer park.

We need look no further than the "hackathon," that sad facsimile of the days when we were all learning the basics so fast that the world could be ours with just a day or two of focused effort. Hype up an exciting atmosphere, assemble some folks with so few attachments in life that they have time to spend all weekend at a hackathon, and this ritual will summon up the old gods. The hackathon is the proof that people believe this can work, and it is the proof that it doesn't.

Yep. If the network is local only and can't reach Azure (for Entra) or the Domain Controller (for AD) that we're saying is at another physical location, then there's no way for the machine to see the new password. It will continue to accept the old cached password until that network issue is resolved.

But that's always been the case. It's how Windows NT and forward work. In that scenario, you could only reach the machine over RDP if you were on another machine on that isolated network.

And there it is. It almost always comes down to "cishet bad".

Look. I almost killed myself over how many times I was told I had to be gay growing up when I wasn't. Often by well meaning people. Please don't turn transness into the new default label for people who aren't gender conforming.

The cost of misgendering a cis person is that they feel weird.

Let's be clear that is an assumption. I understand that there is a shit ton of fake astroturfing going on, but not every single story of detransistioning is lies.

For a more personal experience point to this:

When I was a teen, transness wasn't really talked about, so a cis male being un-masculine "had to" mean they were gay.

Cards on the table, I'm bisexual. But only for a single digit number of men. I'm effectively cishet.

But with how many times I heard that I must be gay, from bullies, from well meaning folks, from strangers... it added significant additional turmoil to my toughest times as a teen. Suicidal ideation tough times.

And now, over a decade and a half later, I'm still not a particularly masculine man in a standard ass cishet marriage with a kid. And I'm happy and comfortable in my identity.

So I have a tough time hearing this repeated narrative of "there's no downsides!"

I felt it was vague enough for the sake of the argument.

End of the day: there are different social rules for different environments. A group of friends, where you know the people involved, is not the situation the egg prime directive is meant for.

The assumption that demonstrating traits not aligned with your gender must make you the other gender is silly, short sighted, needlessly restrictive of potential identities, and in and of itself dangerous. Full stop.

That is the same logic used years back to argue that men who were not traditionally masculine had to be gay. That causes harm as well. Harm I've experienced through bullying, ostracization, etc. After hearing that assumption of my sexuality enough times, I suffered confusion about my identity as a teen. Now people are arguing that somehow using that same logic but now it means you're trans?

I cannot make this any clearer: Present people with their options and allow them to make their own damn choices.

Over a decade later I'm still not particularly masculine, and I am happy in a cishet marriage with a child I am proud to be a father to. Yeah, I'm technically bisexual. I have a single digit number of men I've encountered in my 30+ years that I could go for, but I'm not gay which was the identity prescribed to me.

When even the most generous studies show trans people as making up a single digit percentage of the population, it's silly to argue that there is an intrinsic problem with CIS being the default.

The problem is when people don't understand that not being cis is an option. Or when they don't leave options open. Don't conflate that with the fact that good or bad, cis is factually overwhelmingly the default.

If people are allowed to be whatever they wish (and they should be) then there is room for people who are cis but display traits not aligned with that.

Tomboys exist. Women who demonstrate traditionally masculine traits but are still women. There are also trans men, who may have done the same pre-transistion but are men. There has to be room for both.

Not entirely sure what the term would be, but feminine men exist who are still men and are not trans. There are also trans women.

All of those identities ae valid. Assuming trans because non-conformity is just setting a new needlessly restrictive default.

Lastly, once again I must emphasize that:

your example of someone in a group of friends is NOT what the egg prime directive is about.

Different fucking social situations call for different rules and approaches. For fucks sake.

Not to "true scotsman" this, but the egg prime directive isn't saying you can't have those conversations with people.

This person notably didn't say "my trans friends told me I was an egg, so I tried HRT just to shut them up." It sounds like they were aware it was an option through conversations where it wasn't pushed at them. This person made their own choice.

The egg prime directive is saying that you don't get to declare someone else's identity for them. You don't get to make that choice for them. It's about consent.

I think most of us would agree that it would be abhorrent to tell someone who is asexual that they just haven't found the right partner yet and clearly they're homosexual (or straight or bi) in denial. I see it as the same thing.

And the online culture of labelling other people as eggs is so far removed from the concept of "trying to help someone figure out who they are" that I have a very hard time taking this in good faith. C'mon, of course there are different rules for socialization online vs in person vs with friends.

This is someone trying to spin a CVE out of the way Windows has handled password caching for literal decades. If it can't reach the IDP, it allows you to log in using the last confirmed valid password.

Of course CA won't work if you can't reach Entra to pull them. Of course the machine can't require you to use the newest password if it can't reach AD to check against it instead of the cached one. This is basic fucking functionality that any serious Windows admin should already be familiar with.

It's definitely an interesting edge case where you can't reach Entra or AD but the device can still be reached by RDP, but this "security hole" is literally what the caching is meant for. Maintaining the ability to access the machine if the IDP isn't reachable.

It's how almost any org using AD as their IDP allows users to log in from home before they are connected to VPN. Microsoft isn't going to break that functionality.

In an ideal world, there would be separate password caching controls for every combo of AD/Entra/Other IDP and local/remote, but here in the real world this functionality can be controlled by the same controls for it that have been around for literal decades. In an ideal world, there'd also be ways for CA policies to be cached and enforced locally if Entra isn't reachable, but here we are.

Also, shame on Ars Technica for not linking the actual research, and for being as vague as fucking possible about the details in service of making this clickbait.

I'm not exactly calling bullshit, but I've worked almost the entire last decade in IT in a Windows environment that has a decent amount of RDP use and has grown from ~2000-4000 employees during that time.

We've never encountered this as described. Whatever this situation that allows the cached password to persist indefinitely is, it is a situation that would need to be engineered by the attacker.

From what I can tell, this "exploit" is just the standard NT password caching functionality that Windows has had for literal decades. Windows caches the last valid password used to log in, so if you lose your connection to your identity provider (AD or Entra) you can still log in with the last password confirmed to be valid.

In AD environments, this is what allows you to log into your laptop at home before you connect to VPN. You can't hit your work AD before you're on the work network. It also causes some fun because if you changed your password at work but didn't lock and unlock your computer with the new one, it might still have your old one cached for the login screen but need the new one for VPN. This was a fairly common support call (I'm out of direct user support now so I can't easily see if it still is).

Any situation where an old password would be valid indefinitely and a new one not recognized would require the machine to not be able to reach AD or Entra, but also to still be reachable by RDP... indefinitely. That's definitely not impossible, but it's one hell of an edge case to use the term "indefinitely" for.

It's annoying that there aren't separate settings from "local logins with AD as the IDP" and "remote logins with RDP" or "logins with Entra", but this feature is pretty damn critical for remote workers to be able to function and it is an intentional design choice as Microsoft states. Any potential workaround for a theoretical lack of this functionality is worse than the current state. Can't rotate passwords on a local break glass account if the machine can't reach your IDP, leaving effectively the same hole except with an account known to have elevated access.

There's no nefariousness here or lack of due dilligence. Labeling it as some horribly dangerous security hole with the amount of vagueness this article has is just misleading and clickbaity.

Classic Exec move. Jump ship before the long term repurcussions catch up with them. Leave the new guy holding the bag.

Thank you. It's annoying that there isn't a separate set of settings for RDP connections specifically, but as far as I can tell this is the standard caching feature controlled/mitigated by the same means as it always has been.