Back to Top

Sunday, August 19, 2007

Hack the Gibson #94, #95 and #96

Read the reason for these posts. Read Steve Gibson's response.

I've talked a lot about authentication in two recent blog postings (Getting ahead of the curve and Two channel authentication with the followup Two channel authentication - part tow), so I won't really cover episode #94 in detail.

Now for episode #95, OpenID

One of the first confusing things is that they keep mentioning OpenID and multi-factor authentication together. In fact there is no inherent connection between the two. All that OpenID is is a protocol to implement authentication by proxy, that is if you want to authenticate to a webpage P, you would authenticate to your OpenID provider O, which in turn would relay a signal to P saying that yes, s/he is who s/he says s/he is, because the authentication was successful. Of course one of the first question that comes to mind is how trustworthy the proxy is... And also, the proxy itself can employ multi-factor authentication if it wishes, but there is nothing in OpenID which says it must.

On the plus side, the SpinRite story includes mentions of backups (and not just backups, but off-site backups, wow!).

Finally, the most fertile type of episode (from my point of view): listener Q&A. Because, my main grief with Steve is that (a) he fails many times to give credit where credit is due and (b) messes up the concrete examples. The big picture that he provides is usually correct, however, as the say, the devil is in the details and if you get the details wrong, while proclaiming you absolute knowledge of the matter, you end up confusing, or worse, misinforming people, and misinformation is the main problem in day-to-day security.

Regarding the first question: the main answer to the question is right. However the corollary that just by being behind a NAT and disabling scripting you're safe, if false, false, false. This is very dangerous because it gives people the wrong impression on how they should secure their system. To give you just one scenario: the WMF bug, which Mr. Gibson is surely familiar with, since he made some pretty bombastic claims (that it would be an intentional backdoor created by Microsoft), would have gone through these defenses like a hot knife through butter. If you wish to keep yourself secure, there are basically three things you need to remember:

  1. The first and most important is that there is no such thing as perfect security! Anybody who claims to have such a thing is talking BS or wants to sell something :). A corollary to this is that because security and usability are inversely proportional (since security means limiting the possible uses of the system), a perfectly secure system would be totally unusable (by definition). As I said many times, you should inform yourself before making any decision, to make sure that you make compromise which is in line with your values.
  2. The second thing is defense in depth. From the fact that there no perfect security follows the fact that there is no one setting or product which could provide it. Every additional layer of protection (if properly created and implemented!) reduces your risk of exposure. Some layers which should be implemented: running as limited user, using an AV software and/or a HIPS (again, depending on the level of (in)convenience you are willing to tolerate) and taking a look at the third point below :)
  3. The third point would be running an atypical system. It is a fact that there are more attacks against popular software than there are against less popular ones. This means that choosing software which is not run by the majority (ie Linux over Windows, Firefox over IE or Thunderbird over Outlook) will keep you safe 99% of the time.

On the next question, where the caller asks what about situations where he would want other to be able to access the information (like his family in the instance of him passing away), there is one more solution that didn't get mention: key escrow. Basically you give your encryption key to a third party (a company usually) and specify under what circumstances should it be divulged and to whom (for example if a proper death certificate is presented to a family member).

The next question / comment is dead on, and I could now go back and say it took X episodes for this issue to be addressed, but rather I'll just move on to the next question.

The next question is correctly answered (as far as I can tell - myself not being a Mac user), but programmer Steve gets something wrong, which wouldn't be so terrible (because after all, we all are humans), would he had prefixed his sentence with as far as I know. So when he says And Windows has nothing like that (about the MacOS X Keychain), he is right only in the most narrowest sense. Windows doesn't have anything which works exactly like that, however it has a feature called protected storage, which is used for example to store authentication credentials from IE or autocomplete elements and it has a full API for third party developers to use.

On the next question (or rather, the answer) Steve mentions that he records his DVD's at 1x for backup purposes. I'm no expert at this (see, these little magic words are the ones I miss most in the podcast), but I've hear the opinion that recording modern disks at 1x does more bad than good, the idea being that they were created for faster recording and slower recording can cause parts of the disk to overheat.

On the next question Steve answers exactly the opposing question, but to his credit, he corrects himself in the next episode.

With regards to the last question: in fact it is possible to have a completely secure wireless installation accessible by anybody. However, most probably the municipal WiFi projects won't be implemented using these techniques.


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.