Too true – especially for consumer-facing sites:
Too true – especially for consumer-facing sites:
What do you all think of the latest WikiLeaks disclosure? To be more specific:
Here are my views … I’d love to hear yours:
I would add to this that the American government response to this whole incident has been nothing short of embarassing. I’m embarrassed for the US government — for making wild claims about the harm caused by these leaks (what harm? seriously?) and about the strong-arm tactics they seem to be using to suppress further distribution (shutting down WikiLeaks’ DNS service, Amazon web hosting and most recently PayPal account).
The main buzz around the latest dispatch from WikiLeaks is about the content – and I have to agree with most people who have commented on it – the response amounts to “Yawn, really, that’s what all the fuss is about?”
The process of the leak itself is more interesting. This was a mass download of a bunch of data that various US government agencies were intentionally sharing. Sharing is good, especially for low-risk data such as this. On the other hand, the US government didn’t actually want the data to leak outside of itself, and given the thousands of people with access, that’s a tall order.
So how do you share something with thousands of people while still minimizing the chances that one of them will release it?
Well …. first, you should change the access method to be “one document at a time” rather than “all at once.” I have to assume they actually did do that – but someone scripted a bulk download of these documents.
The second step is to impose some sort of economic cost on anyone considering a breach of protocol by releasing the content. This is where some people jump up and yell “Digital Rights Management!” and where I claim “No! DRM Sucks!” 😉 Actually, I think a much more benign solution is to apply a hard-to-detect, hard-to-remove watermark to individual documents downloaded from this sort of database. Basically, if I download a file from this database, the file should be marked up in some way to indicate that it was me who downloaded it. Anyone can read it – but at least people in authority should be able to figure out that it is my download they are reading.
Same thing with the WikiLeaks documents – if the feds had used a file format that allows for watermarking and had marked up downloaded documents, then legitimate users, including whoever actually leaked the content, wouldn’t have been so eager to let the cat out of the bag.
Technologically, you need some sort of watermarking system and, of course, an identity and access system — users have to identify themselves and authenticate before they can download this stuff, else the central server wouldn’t know what to put in the watermark.
In fact, this raises another question – don’t they log who downloads content? If they don’t, then they deserve the outcome they got. If they do log, then they should already know who downloaded all this content.
That’s my $0.02 for today.
While it’s nothing new, it does revisit good advice that everyone should
follow: avoid passwords that are based on names of people close to you,
don’t think that sticking a digit at the end of your password makes it secure,
What it does do is make the same mistake that lots of “password security”
advice does – which is to assume that an attacker can test millions
of guesses per second. That’s only true if the attacker has access to
the password hashes, which usually means that he’s already got physical
access to your computer or has compromised the security database of an
application you sign into.
That’s a big assumption and I would venture that it’s almost always false.
If an attacker has to test passwords by trying to sign into one of your
accounts using a script, he’s unlikely to get more than about 1 guess
per second and he’s quite likely to trigger a lockout after a few tries.
Moreover, many on-line login systems now use CAPTCHs, so he can’t even
script the attack.
In short: protected and inaccessible password hash databases, slow
interactive login screens, intruder lockout mechanisms and CAPTCHAs
make brute force attacks, even optimized with good dictionaries, pretty
much useless, unless your password is *really* bad.
John also suggests that your bank account is linked to your e-mail
address, so a compromise of your e-mail could also compromise your bank
security. That’s a bit of a stretch, in my mind. I can’t comment about
all banks, but none of the financial institutions that I do business
with even know any of my e-mail addresses.
So here I’m just curious: does your bank use your e-mail address as an
out-of-band authentication factor?
Interesting blog entry on
serverfault.com about whether and when to grant developer access to production systems.
It’s a good read – if you’re a developer or an admin – go read it.
The one thing I can add to the discussion is simply this: it’s not an all-or-nothing question. It’s reasonable, for example, to grant developers admin-level access to a production system in the context of resolving an emergency outage, or troubleshooting a hard-to-find problem, or performing a complicated version upgrade, or even as backup resources if all the normal admins are unavailable (home sick, etc.).
Operationally, it’s pretty straightforward to do that using a privileged password management system. That’s because PPM systems randomize passwords regularly (e.g., daily or even more often), so giving a developer the admin password to a production system does not imply that he’ll still know it tomorrow, or even that he’ll know the admin password for some other systems. A PPM system can also be used for workflow authorization of the temporary access grant, audit logs, etc.
A couple of unrelated but similarly themed stories making the rounds:
In both cases, the uncomfortable theme is that governments can use their coercive power to try to silence critics, and that especially includes critics who try to shed light on uncomfortable truths…
Sounds like the good folks at Georgia Tech have worked out how fast they can
crack passwords (i.e., validate whether a guessed password matches the hash
from a password database) using a GPU. They don’t seem to mention which
password hashing algorithm they are attacking, but they do point out,
in the way that responsible journalists never would, that an attacker would
of course have to have a copy of the password hashes first.
The first line of defense in most password systems is to prevent attackers
from getting the hashes. So long as that works, this whole class of attack
is irrelevant. Something sensationalist journalists (hey, that rhymes!)
fail to point out.
So what have we learned?
Wow – we used to think of Microsoft as a scary company.
In just one week Oracle has promised to eliminate live source code repositories for OpenSolaris, effectively making it “not quite open” (blogspot.com) and filed a lawsuit against Google over its use of the Java programming language (www.computerworld.com).
Nice to see that they are putting Sun’s assets to good use.
To the folks at Oracle: is this the sort of behavior that your customers ask for?
Two blog posts in one day – that’s a first! 🙂
Interesting read at securityweek.com (OK, I first found it on slashdot).
The gist of it is that many users have the same password on social media sites and web-based public e-mail systems.
My first impression is …. so? Those are low-value assets, and users choose convenience over security because their (correctly) think that “well, if someone hacks any or all of these accounts, I really don’t care much about it.”
Just because we *can* make things secure doesn’t automatically imply that we *want* to make *everything* secure. Some things are basically sacrificial in nature.
A nice write-up about deploying full disk encryption to client devices:
A couple of interesting tidbits:
A good read, in any case!