Mandiant is Google's incident response consulting business. Having worked for many years in that field myself (though not for Mandiant), they're probably sick of going to the same old engagements where companies have been getting owned the same way over and over again for the last 15 years.

What releases like this do is give IT ops people the ammunition they need to convince their leadership to actually spend some money on fixing systemic security problems.

> Mandiant is Google's incident response consulting business

Consulting business? I was under the impression (from Google Reader) that if users aren’t in the millions, then they’ll kill the project. How could they also run a high-touch consultancy?!

> they're probably sick of going to the same old engagements

Hmm… consultancies love this type of recurring revenue - it’s easy money

Google is a quarter million person company (if you count full time, temps, vendors and contractors).

Google Cloud is basically an entirely different company than Search or Maps. Cloud will happily sell you $10m in compute a year and a value add $400k of security consulting.

> Consulting business? I was under the impression (from Google Reader) that if users aren’t in the millions, then they’ll kill the project. How could they also run a high-touch consultancy?!

Google also has the Project Zero which doesn't fit into Google business culture either. I wonder if Mandiant is paying for their payroll.

Project Zero has been around for 8 years before the Mandiant acquisition.

My bad. Still not sure which business unit is paying for their payroll.

It also empowers IT depts and cybersecurity people to be able to easily build a PoC to show why moving on from the deprecated protocol is important. In many white-hat jobs you can't just grab rainbow tables from a torrent, so a resource like this is helpful. For the grays and black hats, they've had access to rainbow tables like this for a very long time, so no change there.

Out of curiosity, why can't white hats grab rainbow tables from torrents? Is it about seeding?

Its less about torrents being the delivery mechanism and more about bringing data from a potentially unknown source, under potentially unknown licensing, and distributed for a potentially unknown reason into the corporate computing environment.

Torrents would be a perfectly valid way for Google to distribute this dataset, but the key difference would be that Google is providing it for this purpose and presumably didn't do anything underhanded to collect or generate it, and tells you explicitly how you're allowed to use it via the license.

That sort of legal and compliance homework is good practice for any business to some extent (don't use random p2p discoveries for sensitive business purposes), but is probably critical to remain employed in the sorts of giant enterprises where an internal security engineer needs to build a compelling case for spending money to upgrade an outdated protocol.

Any business that needs convincing to move on from anything labeled NTLM does not care what "nerds" have to say. They are either one of those "I'm not spending money on something that works" or stuck with such legacy technical debt that at this point, removing it from environment is too costly to even consider so executives kick it down the road.

Or it’ll be like a conversation I had yesterday, where the “Active Directory guy” who’s been in the job for 20 years doesn’t even know that there’s an NTLMv1 and an an NTLMv2.

I suspect Mandiant hears a lot of "this is impractical to exploit so we don't care" from their clients. Now they have a compelling rebuttal to that.

You've been able to find these for years. In fact it's entirely possible they just grabbed some or all of them out of an existing torrent originally.

It would completely not surprise me if there are automagic attacks on net-ntlmv1 at this point against some cloud hosted storage. This has been doable by anyone since like 2016 if you had the space and weren't prevented from using that protocol version.