[conspire] About conditioned helplessness

Edward Cherlin echerlin at gmail.com
Sat Sep 3 23:30:16 PDT 2011

On Fri, Sep 2, 2011 at 13:16, Luke S. Crawford <lsc at prgmr.com> wrote:
> Now, I think, RSA made an absolutely boneheaded mistake that changed
> the breakin, in their case, from being an embarrassing sidenote to
> it meaning that all their customers were also vulnerable to compromise.
> They use shared secrets for authentication.
> Those time-based tokens?  the seed is essentially a shared secret, and
> while they provide a secure way of transmitting that secret, I believe both
> ends need to know the secret.  This means that if the attacker compromises
> the server being authenticated to, in this case, an RSA owned server, the
> attacker can then use those secrets to attack other servers using the same
> authentication keys.

This would be particularly bad if it were the OTP login server that
was compromised.

I have mentioned contracting at VeriSign on their security API
documentation. I also worked on OTP token management documentation.
Tokens and servers run a pseudo-random number generator to create
One-Time Passwords, so both ends must know the algorithm and current
seed value, which is changed at each iteration. (Synchronization is as
issue that reduces the security of the system.) Initializing a token
includes setting a pseudo-random seed while the token is physically
under the control of the appropriate sysadmin. VeriSign's token vendor
can do this in bulk for banks.

Using six-digit OT passwords means that it would take a factor of a
million more tries, on average, to break into accounts, except that
the server keeps several iterations of the password algorithm on hand.
So, a million divided by the synchronization cache size.

How many passwords do you suppose hax0rs can try per second from a
botnet, if they know enough user IDs at enough banks? Does anybody
think that they need to break into accounts more than once each?

How about carrying a laptop and its token through the airport in the same bag?

But it sure beats letting users tape their passwords to their monitors. :(

Most of the companies where I have done documentation work have given
me Windows machines with Admin privileges, so that I could manage
necessary software rather than bother IT for every utility I was going
to run, and manage my own filesystem as needed for new projects. (Yes,
Rick, _I_ could have used the command line, but not all of the others
I worked with.) This left me and a lot of others having to manage
security on our own daily-use computers, apart from the antivirus
program and its automatic updates. I got to use Solaris once, and
Linux a few times, where I did not have to run as Admin all day.

Have I ever mentioned the NT 3.5 box I used once, that locked up to
the point where it would not turn on _or_ off? Or the Windows Beta
where Paint complained, "Insufficient memory to quit"? Or when the "I
love you" Trojan nobbled much of Microsoft via Outlook and VBasic?

Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.

More information about the conspire mailing list