Slashdot Mirror
Hacking Web Services
siduri writes "Udi Manber, chief scientist at Yahoo!, gave a great talk on the kinds of hacks that Yahoo sees at the IEEE's Symposium on Security and Privacy. I wrote an overview of his talk for Dr. Dobb's Journal. While some of the message is well-known stuff (like that people will spend a lot of time hacking the most trivial things), the details of what Yahoo has to deal with are really pretty interesting."
Why on earth does this guy call "violating security" of web services "hacking?" I read this article expecting to hear about some nuanced application hacks for XSLT or SOAP or general "Web Services" not a security "lookout!" article. This should be filed in the "no shit" department. If you leave a service open which can be connected to, be it a socket or a web form, somebody will start passing date to it to see what works and doesn't work.
Comparing it to Windows will be a moot point, since El Dorado is going to have a 40% larger code base than XP.
at least according to the yahoo guy.
my personal site (which is) grabs headlines and quotes from yahoo for my personal use using a perl script. solution? simple.
yahoo (like the record companies) should provide a resource for me to get this text cheaply (and quickly), and i'll pay them for it. the demand is there. basic economics dictates that people provide a supply.
now, i understand they are talking about thieves, on the whole, but it seems easy enough to track massive hits from another server and then to block it. i mean, it's 2002. let's fix these problems.
go get it
He's not relying upon obscurity, but it IS a tactic. You don't put a whiz-bang safe in your house that holds $1M and then advertise it in the newspaper. Your safe IS secure, right? And the mass account creation anecdote was in humor ...
Your characterization of him as a "world-class sleazeball" seems to be unwarranted. In response to point #1, did you not read the explanation that immediate publication of his countermeasures would cause harm to Yahoo? Security through obscurity is not a permanent fix to any problem, but in the short term it is preferable to openness if there are no better alternatives available.
As for point 2, I'm quite certain that his quip about distributed computing was in jest.
Finally, regarding your third point, why shouldn't he attempt to protect Yahoo's content? I'm certainly not going to give you root access to my server; does this mean I'm attempting to "Balkanize the web"?
I don't know if you're being sarcastic or not, so I'll assume you're not.
1) Yes, this is a form of security through obscurity. However, the methods they use to counter attacks are not intended to make the system more secure, but hopefully to identify those that are abusing it. The actual problems are much more fundamental in nature. You have to weigh the user friendliness of a free and open network, with the fact that a significant number of people would destroy the network if they had a chance. The alternatives were stated in the article. Require actual names and credit card #'s from everyone. However, they don't want to take it to that extreme, so they're forced to use clever tricks to counter the malicious actions of those who only seek to abuse.
2) The distributed computing comment was a joke. The point of asking a user to compute a simple math problem is to trump the bots, not to accomplish any task of economic significance.
3) Obfuscated HTML is possible now, and not too difficult to implement. He could do it if he wanted to, and it would at least slow down the bots. Why not do it? Well, it slows down the connections, and it will break some browsers. So they continue in the name of greater compatibility rather than some locked down browser specific html coding nightmare that creates more problems than it solves. And no, he's not suggesting packetflooding the offender, even if he jokingly implied it. He's looking for a defense that does not involve governmental regulation and does not involve decreasing the openness of the internet.
-Restil
Play with my webcams and lights here
"Oh! somebody stole your credit card number from our database...Sorry...we've been trying to fix that. In the meantime, here's a coupon for a free CD."
The only way to secure a transaction/service is to use physical ID/presense. So go shopping at the mall, and share ideas online. Simple solution to a complex problem.
"Make it by hand, break it by hand"
You needn't be insulted. Just because having (or doing) a Phd implies cleverness does not mean that lack of a Phd implies lesser intelligence.
he talked about countermeasures instituted against hackers, but doesn't want them openly published (security through obscurity, anyone?)
I'm quite tired of hearing statements like 'company X won't reveal Y; this demonstrates security though obscurity which everyone knows is bad.' Well, it's not! Your statement demonstates that you can echo the slogans but don't understand what security really means. I strongly encourage you to read a recent Crypto-gram by Bruce Schneier. You cannot apply the principles used for analyzing a mathematical system to all real world security issues.
Given one hour to live, the student replied: "I'd spend it with professor FP who can make an hour seem like a lifetime."
I am unsure if here he is saying that anti-spam legislation will be ineffective, or if the "right to spam" should not be outlawed by lawmakers. I would imagine the former is what he meant, since obviously, having the U.S. outlaw spam will do nothing to stop spammers in other countries, and probably do little to stop spammers here in the states either....
Solving the spam problem technically seems to be impossible though. People have been trying to do that forever. I find it very poignant that in the same passage he says that spam could kill off services if it continues to be unstoppable.
---------------rhad
Slashdot needs to interview Natalie Portman.
First, security through obscurity is only dangerous if it is the main line of security. Obscurity can be an important and necessary part of security. For instance, it not wise to publish the exact configuration of every computer on a network, even though, conceivable, such information might allow some help in keeping the computers secure.
Second, I think the registration procedure for Yahoo! is quite clever. I am much more likely to get crap from a Hotmail account than a Yahoo! account. The use of people to do distributed computing(as was done 200 years ago) is clearly so unreliable that such a statement must be a joke. However, the intent to increase the time necessary to create an account is valid.
The third point is of concern for all of us who wish to have free and unrestricted flow of imformation. On the ohter hand, the balkanization of the web is already here, with the help of Microsoft and Macromedia. For instance, bus schedules in houston are provided on the web with flash introductions and PDF only formats. Why is this neccesary for someone who just want to catch a bus? Yahoo would likely add just a few more useless plugins and extensions to a web already rampant with useless plugins and extensions. To Yahoo's credit, it is one the few sites that reliable, effectively, and quickly works with all the browsers I have tried(Netscape, opera, mozilla, and IE.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
Yahoo!'s problems are no different from those brick-and-mortar retailers have with loss leaders and promotions: if you give something away at a loss, there is a good chance that others will find it profitable to get lots of it and resell it. It's not a security problem, it's a problem with the business model. Welcome to the real world.
Yahoo! may want to continue to bask in the glory of having many millions of users, but if they want stop these problems, all they have to do is charge for all of their services. The choice is really theirs.
Don't get me wrong: I like Yahoo! services and I think it would be great if they continue to be free. But I really worry when Manber uses terms like "theft" and "security" for a problem that has very little to do with "theft" and "security". Fortunately, Manber himself isn't calling for a legal solution, but management and lawmakers may be less understanding of the issues involved.
During hotly contested auctions, some users will mount password attacks on other bidder's accounts an hour before the end of the auction -- not to actually gain access, but merely to trigger a security lockout, thereby ensuring that the legitimate user cannot place last-minute bids.
I realize how ridiculously easy it is to get a new IP address on a dialup system or in a facility where someone has access to many addresses but wouldn't a simple IP block after so many attempts help discourage the casual DoS but still allow the legitimate user access when they come to make their last minute bid?
If not this then what about using a login name which is different then the displayed account name? This way the login name is not available to people viewing a particular account's public details for their use in a DoS. I know this is an added step of complication but may be necessary to eliminate bad side effects.
The social problem is that we expect strangers to read our emails to them without any verification. This worked great fifteen years ago, but not now.
The solution is for email clients to send simple challenges to unknown senders, like "tell met the sum of three and four and I'll read your mail." Ie., we change our expectations - if we email a stranger, we should expect to spend a few extra seconds introducing ourselves. People stuck in the old mindset don't like this idea, but the old system doesn't work, and this solution would eliminate spam completely, while taking very little user time.
There are a few extra details to take care of to make it a complete solution, but think about it a bit and you can see what to do.
The US patent system makes it trivial to protect your intellectual property. If you had a patent on the techniques, then you should seek legal recourse (i.e., a lawsuit) against Yahoo for patent infringement. If you didn't have a patent, well, that's the risk you take for showing a potential competitor an obviously copyable idea.
Have fun: Join D.N.A. (National Dyslexics Association)