Safe Computing Practices (aka How Not To Get Viruses, Hacks,

Computers, Gadgets and other Cool Shit

Moderator: Demon Hunters

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#16 » Wed Jan 21, 2009 11:52 am

Some fingerprint scanners combine the print reading with an infrared sensor to make sure it's attached to an actual living person. While spy and crime films love to have people use fingerprint overlays on their hands, it's a lot harder to pull off than it looks.

Retina patterns are much harder to fool but the systems to scan them are a lot more expensive.

I favor two-factor authentication, such as a password combined with either a biometric or hardware factor (the Blizzard Authenticator is a perfect example).
Image
Image

User avatar
Gnomerman
Posts: 1814

Post#17 » Wed Jan 21, 2009 12:16 pm

Ecnailla wrote:Fingerprint is flawed like crazy - fingerprints are too easy to get copies of - its like if you walked around writing your password on every smooth surface you touch.



a hacker isn't going to follow you around, and have the skill and knohow to pull that off.
Image


There is more to life than pew pew you know, like staying out of the fire so you can live to pew pew another day

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#18 » Wed Jan 21, 2009 12:31 pm

Gnomerman wrote:a hacker isn't going to follow you around, and have the skill and knohow to pull that off.

Well, of course. But we're actually talking about two different things.

There's local authentication, where you are expected to be physically present at the resource you're trying to use. Examples would be your work or home computer, entering a building, taking an exam (at school), etc. In these places, biometric authentication is practical because the resources are all localized and the infrastructure is physically controlled by the security provider. This is exactly the place, however, where biometric security can be fooled by someone who gains access to your fingerprints or other biometric data.

Online authentication, on the other hand, must rely on less secure data transport methods as well as limited bandwidth. You could in theory set up a fingerprint scanning system that would securely transmit its data to a remote computer for authentication, but that's prohibitively expensive (not to mention awkward and error-prone) for most businesses. Of course a hacker can't steal your fingerprint from Romania, but they could in theory duplicate the protocol and the fingerprint data, then use it just like they would a password.

You can also have biometric security on your personal system, acting as a lock on a password repository that then is transmitted to the site you're trying to log onto. The advantage of this is that it bypasses most keyloggers, but it still relies on a secure path between your system and the remote service, and doesn't help at all if the password is compromised by other means.

The only way I can see biometrics becoming useful in a general sense is if some form of universal authentication protocol were to be adopted - something like Microsoft's Live ID system. That way, sites hand off authentication to a third party that can establish uniform criteria and provide or even mandate multi-factor protocols. You could use this system in many ways: to securely store personal data, credit cards, and the like.

However, it would have the undeniable flaw of being a single point of attack. One compromise and you don't lose just your JC Penney account, but potentially everything all at once. There would inevitably be severe privacy concerns as well.
Image

Image

70
Ecnailla
Posts: 3624

Post#19 » Wed Jan 21, 2009 12:46 pm

I think local security for bussiness should go the way of id cards. I swipe my card to get access to the building, so why not swipe the same card to log in? I think that is where it will end up, they just haven't gotten there yet.

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#20 » Wed Jan 21, 2009 12:52 pm

So, if someone gets your ID card, they can log in as you without any other authentication factors? I'd still use two-factor for serious physical security: a card plus a fingerprint/password is more effective than either alone.

Physical and online security are dramatically different things - most businesses (except those with a need to handle private or classified data) don't generally have to worry about someone walking into their IT room and making off with the company payroll database. They do have to worry about someone cracking or keylogging their staff's passwords, something completely unrelated to physical security.

Of course, laptops are a different story, and many businesses have found out the hard way that leaving private data on unsecured laptops leads to costly consequences. Still, ID card authentication alone is not much stronger than passwords, and potentially weaker if the ID card is stolen along with the laptop.
Image

Image

70
Ecnailla
Posts: 3624

Post#21 » Wed Jan 21, 2009 1:11 pm

Oh, I just assume passwords will always be in place - I mean on top of that.

User avatar
Gnomerman
Posts: 1814

Post#22 » Wed Jan 21, 2009 1:30 pm

card and a password over here. and lealla, the us government uses some kind of system with the card. i can log into any dod computer than my level of security is allowed to with the card and pin/password i have. however, they have a lot of recources and a single data center dealing with the thousands (i would say millions is closer) of dod personel.

granted, if someone had my card, and it logged into the system, they would know in a matter of secconds exactly where the card was. i don't particularly like the idea of the government knowing where i am at any given time, however, im not too upset about it, its not like i use the card everywhere.

however down the line if their was one happy centralized data center, then the us government (you know they would have their fingers in it) coud acess your entire lifes money history. from where you buy gas on any given day, to what your favorite place to get food from, your grocery store of choice, what you got your mom for her birthday, what your favorite brand of beer is, your favorite brand of condoms, how healthy do you eat, what you like to do for fun.

granted right now the government can find that out relativly quickly, with the proper warrants (or if there is any reason at all they think you may be involved an anything they deem terrorism, imagine if they determined wow is a form of terrorism).

having all this data on a centralized system means they have this information in less than a seccond. if their ever becomes a ban on paper currency, or keeping gold bars in your personal possession, im moving the hell out of the country, cuz that is scary shit, that is like one minute your free, the next minute the whole country is imprisoned in their own lives, and you can't do anythnig to get away cuz you lost control of your money.
Image





There is more to life than pew pew you know, like staying out of the fire so you can live to pew pew another day

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#23 » Wed Jan 21, 2009 2:10 pm

Gnomer, if I may be allowed to pursue my concept, the idea isn't for the centralized database to store all of that information. Its main purpose would simply be to verify that you are you. In essence, instead of having separate logins and passwords to every resource, you'd log into a single system which would then share that authentication with any other site you visit that uses the protocol.

The authentication system itself wouldn't need to store much information - if I were running it I'd mainly have it store data that's common to the accounts you set up with any other site, such as name, email address(es), mailing/billing/shipping address, phone #s, etc. You would have the option to store credit card and bank account information for payment purposes, but it wouldn't be required.

The system would then allow you to choose the data elements you want to share with any site you're attempting to log into. Example: for a web forum, you mainly just need your email address and an alias. So, when you go to that forum, you click on the "authenticate me" button, and you get a popup saying, "Okay, you want to create an account on this site. Please provide a desired handle, and check off the things you want to share. X and Y items are mandatory. This site has a privacy policy with the following items...". Once you're done, that information would be stored permanently and used whenever you connect to the site.

You could set up preferences for whether you want to use a single login cookie for an entire browsing session or have to authenticate to each site separately, or even have individual profiles for each site. You'd also have a master control panel that you could use to review each site's profile and modify, discontinue, or even block access.

You could add all kinds of services to this basic system. Examples that I can think of off the top of my head include:
* A feedback/profiling system that alerts you to a site's reputation and alerts of reported scams, sort of like a BBB rating.
* You could link multiple accounts within a family and set up a "parental" or supervisory account that lets you set parental controls, browsing times, track logins to sites, etc.
* Businesses could provide additional services based on the voluntarily shared contents of your profile. This would work by having a "public" authentication layer where sites can share specific data with each other based on your profile without being able to impersonate you. As an example, you could let Amazon and Barnes & Noble share your book and music ratings to give improved recommendations.

The cost of the system could be easily absorbed by (a) charging users a small fee for universal access, (b) charging businesses a fee based on usage - for example, a forum wouldn't need anything more than basic access and would pay little or nothing, while an online store might pay 0.5% of sales or a fixed rate per user or something. This is almost certainly less than these businesses already spend on password security.

The weakness of this system, of course, is that if your universal authentication is compromised, someone could access everything, not just an isolated subset of your data. To offset that, two-factor authentication would be much easier to manage (and indeed, market) if it's associated with a single site instead of dozens or hundreds. Identity theft would become obsolete overnight if the hackers had to get physical possession of a SecurID or similar dongle to access your accounts.

On the privacy side, the government could indeed exercise power to access everything you do online. Hell, they can do that now; it would just become a lot easier. The trick is to remember that the government must ultimately be responsible to the people, and if things get to the point where you have to hide everything you do from Big Brother, it's no longer a democratic country. In other words, you have to trust them at least to a certain point, and if you don't, well - you might as well move or shoot yourself or go hide in a cellar in Montana or something.
Image

Image

User avatar
IMajorSmall
Posts: 108

Post#24 » Wed Jan 21, 2009 2:25 pm

Lealla wrote:So-called "dictionary" attacks are getting much harder these days, as many authentication systems will either lock after a certain number of attempts or impose a delay such that an automated attack is too inefficient.


I was referring to more aggressive dictionary attacks, not just brute force attacks. The type where a password file is compromised and cracked. Granted, with even a default configuration of most systems that's not really possible anymore, you never know. I opened up the computers at one of my old jobs that way (just for fun and to see if I could--I didn't do anything but destroy the results). You'd be surprised just how many people use thinks like "radio", "muffins", "bunny", "beach", etc. as passwords. Even if they didn't have anything important on those networks, I could still do whatever I want, and it'd only be traceable back to them if I did it right.

The problems with a centralized database are at least twofold: It leads to a single point of failure or compromise, and you need to put your trust in another administrator. Now I'm not the paranoid type, but when it comes to security and anonymity, it's just best not to trust others.

As for verifying that you are you, that's what PGP/GPG signatures are for. For example, I could sign this post with my private key. Nobody else has that key, so nobody else could do that. If you wanted to verify that it's me, you could use FireGPG or anything else that can do the task and look up my public key to verify on any of the distributed keyservers (I personally use the one at MIT).
Image

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#25 » Wed Jan 21, 2009 2:36 pm

You are not going to get every Internet user in the country to use PGP signatures or encryption. Unless it's changed a lot from when I first saw it, it requires a lot of effort to set up and maintain, and compatible email software to boot. I'm not going to download a separate piece of software just to verify that you're actually the one writing that post - it's stupid.

Besides, I'm not talking about emails alone. I'm talking about Amazon.com. Or your bank. Or your state's tax system. You still need a trusted third party to handle authentication, and if you're going to go that route, why not have the third party store all the necessary data? If it's compromised, it's compromised - but the good part is that it would be the only point of attack and therefore much easier to protect than ten thousand individual companies who care more about sales than they do about security.

Edit: you mentioned anonymity. That's going to be a necessary sacrifice in the future. Why? Two reasons. First, the Internet is getting to the point where you have to identify yourself in order to receive goods and services, and that puts your information out there whether you like it or not. Second, some form of upstream authentication is going to have to be implemented in order to put an end to spam and botnets once and for all.

If you think you can surf the digital world in this day and age without leaving tracks, you're delusional. Besides, do you really think your privacy is safer in the hands of thousands of individual companies than one service specifically chartered to protect it?

There will always be sites and services that reject mainstream authentication so that the warez dudez and tinfoil hat crowd can go play in their little sandboxes, but those are going to be increasingly marginalized and irrelevant to business as time goes on.
Image

Image

User avatar
IMajorSmall
Posts: 108

Post#26 » Wed Jan 21, 2009 3:06 pm

Lealla wrote:You are not going to get every Internet user in the country to use PGP signatures or encryption.

You won't, but you also won't get every Internet user to pick secure passwords. You also won't get everybody to use the Internet.

Lealla wrote:Unless it's changed a lot from when I first saw it, it requires a lot of effort to set up and maintain, and compatible email software to boot.

It takes some effort to set up, no effort to maintain. And you don't need compatible email software. It makes it easier, but it's not necessary.

Lealla wrote:I'm not going to download a separate piece of software just to verify that you're actually the one writing that post - it's stupid.

So then you're requiring everybody that hosts web services to download the software, and them to deal with the overhead for something that's not necessary for probably 90%+ of the communication that go through the intertubes?

Lealla wrote:Besides, I'm not talking about emails alone. I'm talking about Amazon.com. Or your bank. Or your state's tax system. You still need a trusted third party to handle authentication

Here I agree with you - A state (by state I mean Fed. Govt.) sponsored way to authenticate, I think, would work well if properly implemented.

Lealla wrote:and if you're going to go that route, why not have the third party store all the necessary data? If it's compromised, it's compromised - but the good part is that it would be the only point of attack and therefore much easier to protect than ten thousand individual companies who care more about sales than they do about security.

Here I disagree. While you make an excellent point about the security, I don't think one service should have all the information anybody would need on me. If somebody wants to get my information to steal my WoW account, I don't also need them to get access to my SSN. While you could theoretically make the WoW account information just as secure, why take the risk?

The problem with having a state-sponsored system, is that it gets wrapped up in politics. Ideally you want a world-wide system, but which state will control it? The UN? Do you think they have the resources for that? USA? Have you heard about the wiretapping problems we've had? China? Russia? heh.

The point is, there's no good way to implement a world-wide, government-sponsored system that works for everybody. The best thing right now is PGP. With optional keysigning, you can build a web of trust, and don't have to rely on any one authority to look out for you. You can look out for yourself. Sure, it's a little complicated right now, but with the right adoption and integration, it can be used easily by anybody. And honestly, is downloading a firefox plugin really so much work to do for the huge amounts of security it can provide?
Image

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#27 » Wed Jan 21, 2009 3:31 pm

IMajorSmall wrote:
Lealla wrote:You are not going to get every Internet user in the country to use PGP signatures or encryption.

You won't, but you also won't get every Internet user to pick secure passwords. You also won't get everybody to use the Internet.

As I said, I'm not specifically (or even particularly) concerned with email here. Email is not going away, but if we can establish a secure authentication protocol for that as well, it would go a long way towards eliminating spam.

I already posted my ideas on this in another thread - the basic idea is that each upstream host would be required to authenticate its traffic with the sender. In other words, if an email comes from your computer, your ISP would reject it if the IP address or From address didn't match a table of authorized senders on your account. Rack up enough violations and your access is disabled until you fix it. If your ISP is compromised, then its own upstream provider will lock it out, and so forth.

A universal login would potentially make this even simpler, as you would have to log into your account to send mail, and therefore you could apply strong authentication at the point of origin. Any email sent without this authentication could be presumed to be spam and filtered at any point in the process.

Lealla wrote:I'm not going to download a separate piece of software just to verify that you're actually the one writing that post - it's stupid.

So then you're requiring everybody that hosts web services to download the software, and them to deal with the overhead for something that's not necessary for probably 90%+ of the communication that go through the intertubes?

They would be free to accept or reject the universal service as they choose, and every effort would be made to allow adoption to be as simple as possible. You wouldn't even need to worry about it at all unless you provide services that require access to authenticated data.

Here I disagree. While you make an excellent point about the security, I don't think one service should have all the information anybody would need on me. If somebody wants to get my information to steal my WoW account, I don't also need them to get access to my SSN. While you could theoretically make the WoW account information just as secure, why take the risk?

Yes, but how did they steal your account? Did you get phished? Keylogged? Either way it's not just your WoW account at risk, especially with a trojan on your system. If you just have a user ID and password, you're extremely vulnerable, but the ideal system would implement two-factor authentication with a physical component that can't be replicated by a hacker. The tricky part is getting people used to the idea - will 90 year old Grammy Jones be able to remember where her dongle is? Or afford a fingerprint scanner?

The problem with having a state-sponsored system, is that it gets wrapped up in politics. Ideally you want a world-wide system, but which state will control it? The UN? Do you think they have the resources for that? USA? Have you heard about the wiretapping problems we've had? China? Russia? heh.

Politics will always be an issue, but I'd start with the "If you build it, they will come" principle. The concept is already in place with private enterprise - just look at Microsoft's Live ID service, which I used as my original example. All you'd need is government sponsorship under an administration that doesn't cowtow to politics too much.

The point is, there's no good way to implement a world-wide, government-sponsored system that works for everybody. The best thing right now is PGP. With optional keysigning, you can build a web of trust, and don't have to rely on any one authority to look out for you. You can look out for yourself. Sure, it's a little complicated right now, but with the right adoption and integration, it can be used easily by anybody. And honestly, is downloading a firefox plugin really so much work to do for the huge amounts of security it can provide?

I'm talking about something that could be used by Joe Stupid Consumer with little or no extra work on his part, from any computer with zero risk of compromise. Until you get there, it's just wishful thinking. PGP requires too much effort from the user to set up, on both ends.
Image

Image

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#28 » Wed Jan 21, 2009 3:50 pm

Sorry to post again, but I had a thought. What if the signup for universal authentication was handled through your ISP? When you get your Verizon, Comcast, AOL, or whatever account, you also get a hardware authentication key, and the first time you go online with the service, you are directed to the secure setup process. You'd have the option to bring your existing key/account along, of course.

The problem then is what you do with the people who don't have a "home" ISP and rely on terminals or work for access. It would take some thinking about; the best thing I can come up with is that you'd have the service be optional: either businesses could obtain their own authentication systems, or the global system would have a "lite" version that lets you create individual site accounts with username/password security but doesn't offer the additional features.
Image

Image

User avatar
IMajorSmall
Posts: 108

Post#29 » Wed Jan 21, 2009 3:53 pm

I think we're probably going to end up on the same problems with each other's concepts. In the end, the end user is just too stupid and the overhead and expense is just too large to bridge the security gap that needs to be filled. Personally, I think Microsoft's Live ID service is terribad. It works in a limited capacity and gives microsoft access to everything I use the passport for. While it's good in concept, I don't trust the company behind it and being primarily a linux user, there's not a whole lot I can use it for. Besides, it being used for XBox 360, I had to dumb down my password, because using my usual level of complexity (20+ completely random) was just too much of a PITA to use in gaming console.

You can't fix human stupidity, so a system similar to yours, where security is almost transparent for everything necessary would be ideal. But I just don't see how it's possible.

Honesly, I don't think we should worry about somebody's 90 year old grandmother. We should look forward. Work on concepts for future systems. If we can get the current generation used to having a physical component, it'll already be ingrained when we get to 90, and we won't have to teach old dogs new tricks.

Lastly, PGP as it is is too complicated for the average user. I'm not debating that. But it can be made easy. It can be streamlined into getting a driver's license if you wanted to. All the user has to do is enter an email and a password on a terminal at the DMV, and the DMV will generate and sign your key, then give you your private key on a card, then upload the public key to the distributed servers. Properly configured, that card can then be used for everything from authenticating you at a bank to starting your car if you get RFID and more layers of security involved. If they lose their card, all they'd have to do is call the DMV, they could immediately recall/disable the key, and then the user would take the same steps as if they lost their license to get a new one. The problem with this is that you need a driver's license/permit/state ID to make this work. On the other hand, I've always thought a state ID would make a lot of things much easier.

Sure you'd need to implement a new infrastructure and write a bunch of new standards, but as I see it, it's the best of both worlds. It forces two-factor authentication (including a physical factor), and involves a state agency. It doesn't include more information than you need, either. All the site authenticating will have access to is the fact that you are who you claim to be.

I don't like the idea of ISPs (or anybody) controlling what happens in the tubes. The Internet was built on freedom, and that freedom has made it what it is today, and what it will be tomorrow. I'm a big supporter of net neutrality.

Edit: Just read your second post. It's a decent thought, but that puts a private corporation in control of what really only a government should do IMO. And wow, wall of text (referring to my post).
Image

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#30 » Wed Jan 21, 2009 4:14 pm

Tying the physical authentication component to a state-issued ID is a great idea and would neatly solve the problem of how you get it into people's hands. I like that. And you're right that you would only need to use it for the authentication component itself, and leave all the rest up to the user. I could certainly foresee value-added services, though, like the ones I mentioned above: cross-business communication, universal profiles, site access management, parental controls, unified payment, etc.

As for ISP controls, I'm talking about the problem of verifying that the sender of an email (or more generally, a data packet) is actually the person/system claiming to have sent it. Specifically, when a computer becomes part of a botnet, it is generally used to (a) send spam, (b) host illegal websites, (c) conduct denial of service attacks, (d) attack security exploits in other computers, (e) distribute botnet software. It is nearly impossible to identify and shut down infected computers because the bots universally spoof the headers of the packets they send out.

Upstream authentication is simply that if your ISP detects you sending packets with forged headers, it shuts you down until you fix the problem. If your ISP is itself complicit or compromised, its ISP will cut it off, and so forth. If the botnets can't send data from their bots, the whole scheme unravels. If they instead send data with authentic headers, it's easy to isolate and notify the owner of the infected machine.

For people who are truly determined to prevent Big Brother from beaming mind control rays through their wireless routers, it will still be possible to use anonymizing services set up by a third party. What this will prevent is computers being used to distribute traffic without their owners' knowledge or consent.
Image

Image

Return to “Technical Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest