Archive for April, 2016

Passwords may be insecure, but so is everything else

Thursday, April 28th, 2016

Interesting bit of news today. Apparently Microsoft’s Office 365 had – for some lengthy but undisclosed period of time – a vulnerability exposing every single account to public access. This means that if your organization offloaded Exchange to O365, all your e-mails and documents were wide open for some long period of time (months? years?).

The details are here.

The short version is that there was a bug in how SAML assertions, allowing O365 to offload user identification, authentication and authorization to another system, such as on-premise ADFS for example, were processed. An attacker could consequently impersonate anyone with a bogus SAML assertion.

Wow. Just wow.

This is no different than if they had dumped plaintext passwords for all of their users.

So to everyone claiming that if we could only get rid of passwords, the world would be safe again – here’s the counter example. It doesn’t matter how you authenticate users, security bugs trump everything.

Safe computing everyone!

Politicians, crypto and craziness

Thursday, April 14th, 2016

Politicians are commonly technologically ignorant. This is not news. In the few times I’ve seen politicians give speeches about IT security at conferences, my common reaction has been “wow, these people were elected, and have actual power!”

So today should come as no surprise, as two US congress members propose legislation that implicitly requires encryption back doors. Nowhere in the draft bill does it say that vendors have to create back doors, but that’s clearly what the bill is about:

Techcrunch.com article

Thankfully, it sounds like this turd won’t survive a senate hearing or a presidential veto, but you never know. If such a thing were to pass, then:

  • There would be zero impact on security, since strong crypto is widely available in the world and in any case terrorists are often too dumb to use it.
  • There would be massive adverse consequences for US tech companies, which will either be forced to relocate to safer harbours (Canada is nice!) or lose all sorts of non-US market.

I suppose the tactical question is: “how do we block stupid legislation like this?”

The bigger question is “how do we recruit politicians who are not idiots?” That’s a much harder question – politics is nasty, and smart people know well enough to avoid it.