Mailing List Archive

On Wed, Jun 6, 2012 at 9:33 PM, Lynda <shrdlu@deaddrop.org> wrote:
> Sorry to be the bearer of such bad tidings. Please note that I'm doing a
> quick copy/paste from a notification I received. I've edited it a bit.
>
> Please note that LinkedIn has weighed in with a carefully worded blog post:
>
> http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/
>
> Further details:
> 1. The leak took place on June 4
> 2. LinkedIn was using unsalted SHA-1 for their password store.

Raising the issue of why Linkedin hasn't adopted the latest security
wrinkles from 1978. ( http://cm.bell-labs.com/cm/cs/who/dmr/passwd.ps
)

> 3. FYI, there are two lists. The second one appears to be from eHarmony.
> Unsalted MD5 used there.

Ditto. Normally I would complain about the use of MD5, but what's the point.

Regards
Marshall

> 4. The posted passwords are believed to be ones the cracker wanted help
> with, i.e., they have significantly more already cracked.
>
> Apparently phishing emails are already active in the wild based on the
> crack:
>
> http://bits.blogs.nytimes.com/2012/06/06/that-was-fast-criminals-exploit-linkedin-breach-for-phishing-attacks/
>
> In other words, if you have a LinkedIn account, expect that the password has
> been stolen. Go change your password now. If you used that password
> elsewhere, you know the routine. In addition, as has been pointed out
> elsewhere, there's no sign LI has fixed the problem. Expect that the
> password you change it to will also be compromised.
>
> :-(
>
> --
> A picture is worth 10K words -- but only those to describe
> the picture.  Hardly any sets of 10K words can be adequately
> described with pictures.
>
>

On Wed, Jun 6, 2012 at 7:19 PM, Marshall Eubanks
<marshall.eubanks@gmail.com> wrote:
> On Wed, Jun 6, 2012 at 9:33 PM, Lynda <shrdlu@deaddrop.org> wrote:
>> In other words, if you have a LinkedIn account, expect that the password has
>> been stolen. Go change your password now. If you used that password
>> elsewhere, you know the routine. In addition, as has been pointed out
>> elsewhere, there's no sign LI has fixed the problem. Expect that the
>> password you change it to will also be compromised.

Why haven't we taken this out of the hands of website operators yet?
Why can't I use my ssh-agent to sign in to a website just like I do
for about hundred servers, workstations, and my PCs at home?

One local password used everywhere that can't be compromised through
website stupidity...

-A

On 6/6/12, Aaron C. de Bruyn <aaron@heyaaron.com> wrote:
[snip]
> One local password used everywhere that can't be compromised through
> website stupidity...

One local password is an excellent idea of course.
"Remote servers directly handling user created credentials" should be appended
to the list of the worst ideas in computer security.

Which digital id architecture should web sites implement, and what's
going to make them all agree on one SSO system and move from the
current state to one of the possible solutions though? :)

A TLS + Client-Side X.509 Certificate for every user.
BrowserID
OpenID
Active Directory Federation Services

OASIS SAML / STS + WS-Trust
Shibboleth SSO
CoSign SSO
Facebook Connect
Novell Access Manager
Windows Live ID

[.insert a thousand of the other slightly more obscure Multi-website
Single-Login systems]
....

--
-JH

On Wed, Jun 6, 2012 at 8:34 PM, Jimmy Hess <mysidia@gmail.com> wrote:
> Which digital id architecture should web sites implement, and what's
> going to make them  all agree on one SSO system   and move from the
> current state to one of the possible solutions though?  :)
>
>        A TLS + Client-Side X.509 Certificate  for every user.

Heck no to X.509. We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.

> [.insert a thousand of the other  slightly more obscure Multi-website
> Single-Login systems]

SSH does a good job of avoiding the pitfalls that most of those other
products have.
Active Directory has costs associated with it.
OpenID requires setting up your own server or using a third party.
Facebook and Google have their own auth systems, but quite a few
people are worried about how much they track you.
And the only time I use a Windows Live account is when I set one up
for a client who needs access to their volume licensing site.

Imaging signing up for a site by putting in your email and pasting
your public key.

No third party verifying and certifying who you are like with SSL
certs and charging you for the privilege (plain 'ol username/password
logins don't give you any verification either--linkedin has no clue
who I really am) just a key exchange from the user and server proving
that you've both seen each other before.

-A

On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
>
> Imaging signing up for a site by putting in your email and pasting
> your public key.

Yes! Yes! Yes!

I've been making this exact argument for about a year. It even retains
the same "email a link" reset mechanism when someone needs to reset
their key.

A common counter-argument is, "But ordinary Internet users won't
understand SSH keys." They don't need to! The idea is easily explained
via a lock-and-key metaphor that people already understand. The UI for
walking users through key creation is easily imagined.


-Snow

On 6/7/2012 9:22 AM, James Snow wrote:
> On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
>> Imaging signing up for a site by putting in your email and pasting
>> your public key.
> Yes! Yes! Yes!
>
> I've been making this exact argument for about a year. It even retains
> the same "email a link" reset mechanism when someone needs to reset
> their key.
>
> A common counter-argument is, "But ordinary Internet users won't
> understand SSH keys." They don't need to! The idea is easily explained
> via a lock-and-key metaphor that people already understand. The UI for
> walking users through key creation is easily imagined.
>
>
> -Snow

Oh yeah, I can just imagine that "lock and key" conversation now...

"Imagine if the website has a lock on it, and you tell them what key you
want to use by giving them a copy."
"But if they have a copy of my key, couldn't they use it to open all of
the other locks I've set up to use it?"
"(explain public key crypto)"
"(drool, distraction by the latest Facebook feature)"

The other problem with this approach is that, as bad as trusting remote
sites to do security properly is, I'm not sure that putting a "one key
to rule them all" on users' machines is that much better, given the
average user's penchant for installing malware on their machine because
"FunnyMonkeyScreensaver.exe" sounded like such a good idea at the
time... I suspect we'd see a huge wave of malware whose sole purpose
is to steal public keys (and you KNOW users won't password-protect their
private keys!). Plus, now you have the problem of users not being able
to login to their favourite websites when they're using a friend's
computer, internet cafe, etc, unless they've remembered to bring a copy
of their private key with them.

I think public key auth for websites is a great idea for geeks who
understand the benefits, limitations and security concerns, but I have
serious doubts that it would hold up when subjected to the "idiot test".

- Pete

In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
> Heck no to X.509. We'd run into the same issue we have right now--a
> select group of companies charging users to prove their identity.

Why?

A user providing the public half of a self-signed certificate is
exactly the same as the user providing the public half of a
self-generated SSH key.

The fact that you can have a trust chain may be useful in some
cases. For instance, I'm not at all opposed to the idea of the
government having a way to issue me a signed certificate that I
then use to access government services, like submitting my tax
return online, renewing my drivers license, or maybe even e-voting.

The X.509 certificates have an added bonus that they can be used
to secure the transport layer, something that your ssh-key-for-login
proposal can't do.

This is all a UI problem. If Windows/OSX or Safari/Firefox/Chrome
prompted users to create or import a "user certificate" when first
run, and provided a one-click way to provide it to a form when signing
up there would be a lot more incentive to use that method. Today pretty
much the only place you see certificates for users is Enterprises with
Microsoft's certificate tools because of the UI problem.

--
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

On Jun 7, 2012, at 9:58 AM, Leo Bicknell wrote:

> In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
>> Heck no to X.509. We'd run into the same issue we have right now--a
>> select group of companies charging users to prove their identity.
>
...
> For instance, I'm not at all opposed to the idea of the
> government having a way to issue me a signed certificate that I
> then use to access government services, like submitting my tax
> return online, renewing my drivers license, or maybe even e-voting.



All in favor of paying $119/year to vote, please raise your hands.

http://www.verisign.com/dod-interoperability/

On 07/06/12 6:36 AM, Peter Kristolaitis wrote:
> Plus, now you have the problem of users not being able to login to
> their favourite websites when they're using a friend's computer,
> internet cafe, etc, unless they've remembered to bring a copy of their
> private key with them.

I've run into this problem with setting up accounts on aps on my
smartphone. A secure password that is relatively easy to type on a
regular keyboard becomes a PITA to type on a smartphone. There are a
number of sites I simply don't use on my phone because the hassle of
setting up each site's ap is greater than the benefit I get from
accessing it via the phone.

jc

On Thu, Jun 7, 2012 at 6:36 AM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
> On 6/7/2012 9:22 AM, James Snow wrote:
>> On Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
>>>
> "Imagine if the website has a lock on it, and you tell them what key you
> want to use by giving them a copy."
> "But if they have a copy of my key, couldn't they use it to open all of the
> other locks I've set up to use it?"
> "(explain public key crypto)"
> "(drool, distraction by the latest Facebook feature)"

You'd run into the same issue explaining how MD5, SHA1, salting,
etc... works to 'protect' their password.
Users don't care.
If putty were to pop up its password box when my mother signed in to
her computer and then I said something like "Don't worry, you won't
need to enter passwords while you surf the 'net now." and maybe showed
her the chrome extension icon thingy to click when she wants to paste
her 'password' (public key) into a new site, she'd be fine with it.

> The other problem with this approach is that, as bad as trusting remote
> sites to do security properly is, I'm not sure that putting a "one key to
> rule them all" on users' machines is that much better, given the average
> user's penchant for installing malware on their machine because
> "FunnyMonkeyScreensaver.exe" sounded like such a good idea at the time...

And how does our current system of usernames and passwords avoid
malware that logs keystrokes?

> I suspect we'd see a huge wave of malware whose sole purpose is to steal
> public keys (and you KNOW users won't password-protect their private keys!).
>   Plus, now you have the problem of users not being able to login to their
> favourite websites when they're using a friend's computer, internet cafe,
> etc, unless they've remembered to bring a copy of their private key with
> them.

Yep--that's the one big problem I can see with this 'solution' that I
don't have an answer for yet.
It would be difficult to get users to carry around a USB key or a
smartcard, or whatever to get them signed in while away from their
home computer.

-A

True,

Back in 1998-1999 timeline, there was an ongoing project to have the US
Postal service issue X.509 certificates at a nominal fee. The fact that even
the most rural areas have access to a post office made a lot of sense. After
the 2000 election, the project was cancelled because "private business" can
handle it better.



----
Matthew Huff  | 1 Manhattanville Rd
Director of Operations   | Purchase, NY 10577
OTA Management LLC | Phone: 914-460-4039
aim: matthewbhuff  | Fax:   914-460-4139


> -----Original Message-----
> From: jeff murphy [mailto:jcmurphy@jeffmurphy.org]
> Sent: Thursday, June 07, 2012 10:06 AM
> To: Nanog
> Subject: Re: LinkedIn password database compromised
>
>
> On Jun 7, 2012, at 9:58 AM, Leo Bicknell wrote:
>
> > In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron
> C. de Bruyn wrote:
> >> Heck no to X.509. We'd run into the same issue we have right now--a
> >> select group of companies charging users to prove their identity.
> >
> ...
> > For instance, I'm not at all opposed to the idea of the government
> > having a way to issue me a signed certificate that I then use to
> > access government services, like submitting my tax return online,
> > renewing my drivers license, or maybe even e-voting.
>
>
>
> All in favor of paying $119/year to vote, please raise your hands.
>
> http://www.verisign.com/dod-interoperability/

On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote:

> Imaging signing up for a site by putting in your email and pasting
> your public key.
>

I'm imagining my mother trying this, or trying to help her change it after the hard drive dies and the media in the safe deposit box doesn't read anymore.

On Thu, Jun 7, 2012 at 8:58 AM, Jared Mauch <jared@puck.nether.net> wrote:
> I'm imagining my mother trying this, or trying to help her change it after the hard drive dies and the media in the safe deposit box doesn't read anymore.

I would think it's fairly simple.
What if she forgot her existing password? Most sites have a 'reset
password' link they e-mail you.
A browser extension 'helper' would simply generate a new key and let
you reset your password. Maybe the helper could be dumbed down enough
to automatically handle the password reset screen and automatically
POST the new key to the reset page.

I'm sure it could be done transparently enough that our mothers
wouldn't need to think twice about it.

Heck--the 'helper' could probably even back up your SSH key off-site
sorta like LastPass does. And if your private key is actually
password protected, it's slightly less useless if the off-site backup
company were compromised.

The only downfall is how do you get access to your e-mail account?
(Google already calls my cell and/or home phone if I request access
without using my password.)

I agree there are stumbling blocks, and it wouldn't be perfect--but it
seems like it would be much better than the alternative we have now.
People using the same password on multiple sites, passwords written
down, dumb website operators not salting their hashes, etc...

Also, thanks for the great secondary DNS service. ;)

-A

On Thu, Jun 7, 2012 at 11:58 AM, Jared Mauch <jared@puck.nether.net> wrote:
>
> On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote:
>
>> Imaging signing up for a site by putting in your email and pasting
>> your public key.
>>
>
> I'm imagining my mother trying this, or trying to help her change it after the hard drive dies and the media in the safe deposit box doesn't read anymore.

Or having to deal with family tech support, along the lines of

"You said you pasted it exactly."

"But I did. I've spent hours trying to watch that movie. I don't know
why it isn't working."

"But you {added a period at the end / didn't include the line wrap /
added a space at the beginning / etc}"

"Oh. Does that matter"

For more joy, imagine debugging such issues over the phone. At least I
can say that my Mother (God rest her soul) would never
have indulged in such foolery. She would have just called the company
to send a technician in to send the email for her.

Regards
Marshall

I rarely reply to threads. However the point of interest that is missed is "Not supported anymore because Microsoft says so". So Microsoft starts putting out systems at one per year and not supporting old ones because they "Have you over a barrel"?

Tell your daughter she can't get married? You haven't bought your new operating system this year, and "backward compatible" is a thing of the past?

Then it is $119.00 per year on top of that (maybe)?

Let's say Microsoft promised business to the PC building companies and decides that an operating system per year is only supported on new equipment? The cost to vote could be thousands per year. Only the rich can afford to vote?

The point is that you have to be careful about where you go with technology and who controls it. I am sure there are people who would love to see voting as a "can you afford it" right.

-----Original Message-----
From: Aaron C. de Bruyn [mailto:aaron@heyaaron.com]
Sent: Thursday, June 07, 2012 11:10 AM
To: Jared Mauch
Cc: Nanog
Subject: Re: LinkedIn password database compromised

On Thu, Jun 7, 2012 at 8:58 AM, Jared Mauch <jared@puck.nether.net> wrote:
> I'm imagining my mother trying this, or trying to help her change it after the hard drive dies and the media in the safe deposit box doesn't read anymore.

I would think it's fairly simple.
What if she forgot her existing password? Most sites have a 'reset password' link they e-mail you.
A browser extension 'helper' would simply generate a new key and let you reset your password. Maybe the helper could be dumbed down enough to automatically handle the password reset screen and automatically POST the new key to the reset page.

I'm sure it could be done transparently enough that our mothers wouldn't need to think twice about it.

Heck--the 'helper' could probably even back up your SSH key off-site sorta like LastPass does. And if your private key is actually password protected, it's slightly less useless if the off-site backup company were compromised.

The only downfall is how do you get access to your e-mail account?
(Google already calls my cell and/or home phone if I request access without using my password.)

I agree there are stumbling blocks, and it wouldn't be perfect--but it seems like it would be much better than the alternative we have now.
People using the same password on multiple sites, passwords written down, dumb website operators not salting their hashes, etc...

Also, thanks for the great secondary DNS service. ;)

-A

On 6/7/2012 8:58 AM, Jared Mauch wrote:
>
> On Jun 7, 2012, at 2:14 AM, Aaron C. de Bruyn wrote:
>
>> Imaging signing up for a site by putting in your email and pasting
>> your public key.

> I'm imagining my mother trying this, or trying to help her change it
> after the hard drive dies and the media in the safe deposit box
> doesn't read anymore.

There are other issues than not being familiar with technology, and they
specifically affect those of us who have grown older, and lost certain
dexterity that used to be innate. There are passwords and pass phrases I
used to have committed to muscle memory. I never even had to think about
them. I've had to spend literally hours trying to type in a PGP pass
phrase that used to be something I could type without thinking.

There is no one size fits all solution to this. I'm still very annoyed
with a company that has only now moved to a password solution that
should have been in place in 2005. I still don't want single sign on.
Not anywhere. I've been around for a very long time, and I'm fine with
technical complexity for me, but do not expect the standard 16 year old
text messaging addict to be able to handle some of the solutions I've
seen suggested, much less most people my age.

Things are so complex now that people on nanog-l forget the average
level of expertise among their peer groups is simply not replicated in
the outside world. Jokes about needing a teenager to reprogram your VCR
are a thing of the past. I used to be in the business of forecasting the
future (among other things), and any security solution that is more
difficult than knowing not to use the same password for your bank that
you do for Facebook is doomed to fail.

{P.S. Ditto on thanks for backup DNS.}

--
A picture is worth 10K words -- but only those to describe
the picture. Hardly any sets of 10K words can be adequately
described with pictures.

hi etaoin,

> I still don't want single sign on. Not anywhere.

i believe that 'single sign on' is a bad deal and dangerous for all, not
just we geeks. essentially it means that the 'identiry provider' owns
your identity. i love that they call themselves 'identity providers'
when it is MY fracking identity and they are reselling it.

the 'single sign on' i encourage for the end using human beings i
support is 1password and its ilk. it provides the user with one sign-on
yet strongly encourages separation of identities and strong passwords
for sites.

add to that, something such as ghostery for your browser, and you have a
small chance of actually preserving your identity and minimizing cross-
site tracking.

randy

On Thu, Jun 7, 2012 at 1:03 PM, Randy Bush <randy@psg.com> wrote:
> hi etaoin,
>
>> I still don't want single sign on.  Not anywhere.
>
> i believe that 'single sign on' is a bad deal and dangerous for all, not
> just we geeks.  essentially it means that the 'identiry provider' owns
> your identity.  i love that they call themselves 'identity providers'
> when it is MY fracking identity and they are reselling it.

so... now that this can is open, has anyone looked at:
<http://www.oneid.com/>

they seem to have some interesting options for better authentication.

> the 'single sign on' i encourage for the end using human beings i
> support is 1password and its ilk.  it provides the user with one sign-on
> yet strongly encourages separation of identities and strong passwords
> for sites.

the oneid people would say: "it is still a shared secret"

-chris

> so... now that this can is open, has anyone looked at:
> <http://www.oneid.com/>

yep. yet another bucket of identity slime wanting to resell my
identity.

randy

The problem:
- Modern internet users must have lots of different login/passwords around
the internet. Most of then in easy-to-break poorly-patched poorly-managed
servers, like linkedin.

The solution:
- Reduce the number of authentication. Allow anonymous posting in more
sites.

Imagine this. I post something on the blog "yadaydayda". I give my email
and nothing else. The blog software sends me a email to confirm the post.
I click on it, and the post is published.

The real problem is that nowdays everybody and his dog want a password, and
a password is expensive for the user. The internet need more anonymous
ways to publish content.


--
--
ℱin del ℳensaje.

On Thu, Jun 7, 2012 at 1:14 PM, Randy Bush <randy@psg.com> wrote:
>> so... now that this can is open, has anyone looked at:
>>   <http://www.oneid.com/>
>
> yep.  yet another bucket of identity slime wanting to resell my
> identity.

maybe? they don't seem to want to be the 'identity provider' directly
though, or rather they point out that your corporation could be your
identity provider (or anyone else you might trust) they simply sell
the enabling software/tech.

On Thu, Jun 7, 2012 at 1:30 PM, Tei <oscar.vives@gmail.com> wrote:
> The problem:
> - Modern internet users must have lots of different login/passwords around
> the internet.  Most of then in easy-to-break poorly-patched poorly-managed
> servers,  like linkedin.
>
> The solution:
> -  Reduce the number of authentication.  Allow anonymous posting in more
> sites.
>
> Imagine this.   I post something on the blog  "yadaydayda". I give my email
> and nothing else.   The blog software sends me a email to confirm the post.
> I click on it, and the post is published.
>
> The real problem is that nowdays everybody and his dog want a password, and
> a password is expensive for the user.  The internet need more anonymous
> ways to publish content.

Maybe so, but anonymous entries on linkedin seems like a zen koan,
beyond the powers of my simple mind.

Regards
Marshall

>
>
> --
> --
> ℱin del ℳensaje.

>>> so... now that this can is open, has anyone looked at:
>>>   <http://www.oneid.com/>
>>
>> yep.  yet another bucket of identity slime wanting to resell my
>> identity.
>
> maybe? they don't seem to want to be the 'identity provider' directly
> though, or rather they point out that your corporation could be your
> identity provider (or anyone else you might trust) they simply sell
> the enabling software/tech.

so they provide tools to indentity resellers. the folk their software
enables are still *reselling* MY identity.

my point is that it is MY identity. there are tools, such as 1password,
which enable me to control MY identity and yet have the effect of single
sign-on.

and i believe it is important that mom and pop retain control of their
identities.

randy

On Thu, 07 Jun 2012 13:33:59 -0400, Marshall Eubanks said:

> Maybe so, but anonymous entries on linkedin seems like a zen koan,
> beyond the powers of my simple mind.

There's a distinction between anonymous and pseudonymous. I'm
certainly not the former, but to all but maybe a dozen or two NANOG'ers, I'm
pretty much the latter - somebody who always posts from the same
identity, but they've never actually personally verified the identity.