Slashdot Mirror
Hacking Web Services
siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."
If Dr Dobbs was slashdotted, it might be understandable. As it is, you're just being an asshole.
Best Slashdot Co
The IEEE Symposium on Security and Privacy is one of the longest-running forums on this topic and is well worth being aware of. The papers for the 2002 session are on CD-ROM; so is a compilation of those from 1980-1999...
Yahoo's problems are massive, and I think it's good that at least SOME people at Yahoo realize it, even though I'm still not convinced they are aware of the full scale of the problem.
After all, if you chat with Yahoo's service, you're eventually going to be booted off by another user. Some of the methods users use to exploit the system and kick off other users are clever, some are not so clever.
One method involves running a program easily downloaded off of the internet and typing in the desired victims name. It's your basic "Punter". Some of the programs available are effective at removing users of Yahoo's Messenger, while a few of the more recent ones do a good job taking out users who use 3rd party Yahoo clients, or even Yahoo's web-based Java client.
These methods of exploitation are half-way understandable, though I don't see why Yahoo hasn't worked to block the attacks in the same way that AOL has with AIM.
The other method, plain old boot-text, is simply unacceptable.
If I were chatting with someone using Yahoo Messenger and they annoyed me, all I would have to do is send them a single URL with an unrealistically long domain name in it, and their Yahoo Messenger will crash. A URL such as www.xxxxx.com with about 400 to 500 X's in the name will work nicely.
It's a relatively simple matter for the end user to set up a personal word-filter on their messenger and block out all occurences of "www." which effectively makes them invulnerable to this attack, but that is not the issue. The issue is, that if Yahoo has such easily exploitable end-user software, I'm very worried about the quality of their security as a whole.
Think about it.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
So it would be a great boon to web services if there were a way to somehow have a way of confirming that a person hasn't already signed up for a service. It'd allow many boards to weed-out their troll population while maintaining an open sign-up. On one forum I was on, the problem was so bad that registration was completely closed then later moved to a pay-only model.
The problem is that I can't see any way to do it without compromising the identities of the people. For example, I don't see a problem with Slashdot knowing that 'Erasmus Darwin' is my only Slashdot account, but I don't want to create a system where they could theoretically share records with another entity and use that to determine my identity there. Perhaps the identity token I provide to Slashdot could be some sort of one-way hash of my identity combined with '@slashdot.org', thereby limiting it to a single area.
One downside of this system is that a government-type institution with a search warrant could use my secret identity information to reproduce my Slashdot token and verify my identity. I don't see any way to prevent the identification from somehow serving to find-out who I am. Still, that theoretically pushes the identification process off to a similar level of difficulty to tracing the user's IP (i.e. Slashdot couldn't do it on its own). Thus, if we pretend that no one uses anonymizing web proxies, it's the same level of anonymity.
Also, there'd be a problem of issuing the secret identity keys. Presumably, this would be handled by the companies that already do encryption/security certificates. That means there'd be a cost associated with such keys, which would turn away a number of people. If only a small percentage of people fork over the $XX/year for a personal identity certificate, most sites won't be able to require their use for signup. Furthermore, it'd be difficult for the issuing agency to verify the uniqueness of each request, especially when we consider that this would have an international audience. I also wouldn't be surprised if some of the countries that have whored out their ccTLDs decided to also start selling their equivilent of SSNs to people interested in extra identities.
Finally, there'd be the issue of identity theft. Having a single, computer-based identity key would be a very tempting target for various malicious programs. If I were an evil spammer type and such an identity system were in place, I'd definitely try and steal as many identities as possible for sign up use.
In the case of E-Bay and user lockout, there is no exact solution
In this case, a lockout that is specific to remote address or address block might be useful. Add in some checks for stuff like AOL (different IP each connect and a pile of users) and dialup blocks (lockout a class C network for that login to frustrate redial attempts) and keep stats on where a user comes from (repeated attempts from a commonly used net block may be treated more leniently and trigger an email to the user's registered address, whereas an unusual address generates a longer lockout and no email to the user).
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I think it's pretty silly to imagine that the solution to spam will be through technology. It would be very hard to differentiate spam and legitimate mailing lists.
The point of redesigning the delivery system is to make that question irrelevant. For instance, some proposals try to add a concept of trust between mail servers. Under the current model, every mail server trusts every other mail server by default. Admins at sites will occasionally block mail from certain sites, or from all dialups, or from all dynamic IP addresses. That is a very crude form of a trust system. In the first case, the lack of trust is based on some evidence of abuse. In the latter two cases it isn't based on actual abuse so much as a history of abuse. Some have proposed more precise trust mechanisms that would be used between mail servers (using signatures, etc. for the identification). The default case could either be trust or no trust (depending on whether the solution uses whitelists or blacklists)... the point is that abuse from a site that isn't dealt with would cost you the status of a trusted server. That essentially moves you away from the whole per-message differentiation problem. The end user, after all, can tell the difference between spam and legitimate mailing lists. The devil in the details in this case is who maintains the lists and what sort of mechanism is involved in getting on and off them. Presumably there would be many (much like the choice you have in NoCeM lists for Usenet) and, if so, that might make the question less critical.
And of course a legal solution can work...to the extent that other laws work and are enforceable. Many forms of mail fraud are illegal, but that doesn't mean you won't get mail scams and such sent to you. However it severely reduces the amount that you receive and also determines a path for you or the goverment to prosecute offenders.
Unfortunately, the legal approach has it's own pitfalls. For one thing, there is a big question of jurisdiction. We sort of wink at the question when it is used to go after spammers because we don't like spam, but do we really want to establish the idea that a local gov't can impose it's particular laws and mores on the net? There are also technical problems. It's easy to identify the relay that the spam was sent through. If they provide contact information in the spam (kind of useless without it, unless it's one of those advocacy spams) you have that, as well. But that, in just about every case, doesn't identify an individual. Let's say they used a throwaway Yahoo! account. Well, we just read that Yahoo! doesn't have any way of identifying who the account holder is. As for the relay, I don't know how common my case is, but most of the spam I get is relayed from foreign countries.
So does the actual payoff of a legislative solution in terms of spam reduction make up for the precedence it establishes for local gov'ts to legislate net activities? FWIW, I get more spam than ever now (although, thanks to SpamAssassin, I don't see as much of it as I used to).
Your claims are pretty slanderous, and you don't have much to back them up.
For one, it looks like Yahoo did not even implement their own system. If you look right below the word prompt, you can see they're basically using Captcha developed at Carnegie Mellon.
Are you saying CMU stole for you as well?
Is it possible that others came up with similar, if not better, systems, and they used them instead?
Why on earth does this guy call "violating security" of web services "hacking?"
Because it's so much easier than actually fixing anything.
My business relies on people finding my website, then emailing me directly. NONE of my prospective clients would try again if they got a "who are you?" message back that they then had to do something special to reply to so I would see their message.
Yesterday I was on the wrong end of such a bot myself. I emailed the owner of some linux-related site, and got back an autoresponse that informed me I had to reply with a certain string in the subject to get past the spam killer. So I did -- and got an automated "rejection" message. Will I try again? No. If the guy is that friggin' paranoid, to hell with his product.
~REZ~ #43301. Who'd fake being me anyway?
The article is not about (security related to) instant messaging, but e.g. bots signing up for a dozen Yahoo E-mail accounts, which use them for spam, people grabbing their stock quotes every fifth minute and re-publish them on their own site, people who do password attacks on auction accounts to trigger a lock-out, so that the bidder can't place any new bids during the last hour of the action etc.