Identity Theft and Social Networks

scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"

First post

[TheSpoogeAwards]

Go home, dickbutts.

GNAA INFORMATION FOR THE GAY NIGGER

[ADOT+Troll]

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY?
Are you a NIGGER?
Are you a GAY NIGGER?

If you answered "Yes" to all of the above questions, then the GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!

Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain and read the Regional Transportation Plan for the Maricopa Association of Governments sponsored by the Arizona Department of Transportation. You must take a test to verify your knowledge of the plan. The test consists of 6 questions:

1. How many lanes will US 60 be from Val Vista to Power Rd?
2. What is the scope and span of I-10R?
3. What is the Wickenberg Bypass?
4. When will the Williams Gateway Freeway be built?
5. What is planned for I-17 from McDowell to Dunlap?
6. What is planned for US-60 (Grand Avenue)? How much money is set-aside?

Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership. Talk to one of the ops or any of the other members in the channel to sign up today! >[? If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.

If you have mod points and would like to support GNAA, please moderate this post up.

I am protesting Slashdot's chronic abuse of its readers and subscribers. Please visit www.anti-slash.org and help us!

Re:GNAA INFORMATION FOR THE GAY NIGGER

WTF? I am an AVID GNAA fan. This post CONFUSES me.

Re:GNAA INFORMATION FOR THE GAY NIGGER

I'd like to give a shout-out to penisbird, DiKKY, timecop, Kobaz, til, tirel, lysol and nr.

lazy

People are getting lazier, as people get lazier security goes down, deal with it.

Re:lazy

[}InFuZeD{]

Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.

Re:lazy

People are getting lazier, as people get lazier security goes down, deal with it.

poeple arenot geeting lazy! their just..aw fuck it.

TP

third post

500 Internal Server Error

An internal server error occurred. Please try again later.

If you think slashdot is having to many of these reply to this post.

Re:500 Internal Server Error

the spammers are ddosing us ;)

Re:500 Internal Server Error

when i clicked reply i got ANOTHER one of those messages.

P.S. and when i clicked submit.

GOOD LUCK WITH YOUR MASTURBATION

I have good luck with mine

Nigger nigger nigger lysol

lysol
ysoll
solly
ollys
llyso
lysol

GNAA was here YOU FUCKING NIGGERS

LYSOL

Well, duh.

[James+A.+C.+Joyce]

The idea of social networks is just insecure from the get-go. When people are connected, there's increased potential for security risks and flaws to be exploited and to be created. It's like broadcasting your real email and IP addresses on Usenet - a bad idea. The buggy implementations are just icing on the cake.

Re:Well, duh.

"Make me your friend; my fans get +1 comment scores."

first, tell me are you a whiny lying backstabbing greedy conservative? or are you a whiny lying backstabbing greedy liberal?

i make my friends/foes based on political leanings.

Re:Well, duh.

[kfg]

Look, I don't suppose you could be convinced to take a dinner break or something, could you?

KFG

Re:Well, duh.

1. " The idea of social networks is just insecure from the get-go."

2. "Make me your friend; my fans get +1 comment scores."

?

Re:Well, duh.

[commodoresloat]

Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.

EAT ME GNAA COCKSUCKERS!

TrolKore rules /. forever.

CmdrTaco prefers TrollKore's cox in his anus
to GNAA's!

Re:EAT ME GNAA COCKSUCKERS!

Trollkock seems to be losing this battle

Slashdot doesn't use SSL to login

Guess it doesn't matter if you just stay anonymous.

Re:Slashdot doesn't use SSL to login

I never posted that! Someone has stolen my identity!

How often they get caught

[RobertArnold]

I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.

Re:How often they get caught

[benna]

I would be all for that.

Re:How often they get caught

[Brahmastra]

I was a victim of identity theft once and made a police complaint, an FTC complaint, etc.. They all said that it was unlikely anyone would ever be caught. Haven't heard anything for 2 years now. They need to start castrating identity thieves... it's getting out of hand.

Re:How often they get caught

how about the rate of comment theft?

I congratulate you for using the anti-slash db tool.

The jihad is alive and well. Allah Akbar!!

Re:How often they get caught

1 in 7,000, baby. You've been called out.

Re:How often they get caught

[Aviancer]

Indeed. My wife was the victim of identity fraud. The police caught the perp with my wife's ID -- and LET HER GO. She's been stealing cars from rental agencies and running up Sam's Club credit and cell phone bills ever since -- and the cops know who she is, and how much of a scourge she can be...

Re:How often they get caught

[Carewolf]

Like with most things in life. Problems only gets solved once they truly become a problem. Currently banks takes the responsibilty when they are conned out of money. Once they loose more money this way than it would cost to do something about it, it would change.

The same happens with most laws. The laws the politician creates in the meantime are either of no real significance or to boost personal interests.

Re:How often they get caught

They need to start castrating identity thieves...

What's the point? I mean, if they've only got a 1 in 7,000 chance of getting caught, then how good is any deterent going to be?

Rather than concentrate on more and more extreme punishments, maybe we should concentrate our resources on more and more effective ways of catching fraudsters? Y'think?

Apparently I have to wait another couple of minutes before posting this, so on another subject: why oh why oh why are CD players so big? I mean, with the latest codecs, you ought to be able to store much much longer audio streams on those tiny little CDs you can fit in your pocket. So why not start making more portable CDs like that and standardize on a format and codec?

And what's the deal with all those endings for Lord of the Rings: Return of the King? Some of us had to go for a pee for crying out loud. Did any of them add any value to the film whatsoever? No, so why include them? And is the rumour true that the Special Edition Extended DVD version of Return of the King will be essentially the same film only with another three hours of endings tacked on to the end?

Re:How often they get caught

[bblfish]

The problem in America is that once you have someone's social security number you can pretty much do anything. You are most of the way to owning their identity. Most banks only require you to recite your SSN before you enter any transaction. This is allready a huge security hole, but is becoming larger as more and more services ask for the SSN to help identify someone. It was impossible for me to get a cell phone in California 6 years ago without using my SSN for example. The more people have this info, the easier it is for it to get into the wrong hands. The banking system is really to blame. A SSN should NOT be used as a way to authenticate someone. A SSN is simply the same as someone's name. Everyone should have something like a cryptokey which we were given at DEC. When you contact your bank you could first give them your name, they would send you a challenge, which you could enter into your cryptokey, and would return its response. Since the challenge would always be different, even the employee of the bank would not be able to do anything with that information. The problem is glaring. The solution is obvious. Banks should really be held responsible for not coming up with a solution to this.

Re:How often they get caught

[ardiri]

Most banks only require you to recite your SSN before you enter any transaction
damn.. i love sweden. everyone has an identity card; no photo = no identity card. you cannot do anything without your identity card; everything is based around your personal number (like social security id), but, if you want to do anything serious/transaction/bank stuff/use credit card - you have to flash that lovely little bit of plastic.

no problems with identity theft here. oh well.

Re:How often they get caught

[mingust]

Only case of identity theft that I've heard of was one of the customers at the bank I work at. He did all the investigation himself and figured out how to steal his own identity. Turns out, he ended up calling the guy that stole his identity as the cops were on his front door. Yet again we see that to get anything done in the American legal system, you have to be anti-American and get up off you ass to do it yourself.

Re:How often they get caught

[mingust]

The patriot act has solved some of the problems associated with identity theft, as banks now have more information about their customers. Regardless if this is a violation of personal privacy or not. Working in a bank, I often check to make sure the phone number being called from is one that matches and account or ask other information than a social security number. The most important method of identification is the personal relationship at a bank though. If you don't want your information stolen, find an employee that's been with the bank for a long time and deal only with that person. I know when I transferred locations, it was a very foreign atmosphere to me and people were upset when I'd ask them for ID because I did not yet know them. The many many cases of identity theft are also due to people giving out their own information to scams, not leakage from corporate sources. I can't count the number of pay stubs that are discarded without being shredded each Friday. Each one often has a SSN, as well as other personal identifying information.

Re:How often they get caught

What's the point? I mean, if they've only got a 1 in 7,000 chance of getting caught, then how good is any deterent going to be?

7,000 crimes does not imply 7,000 criminals. The risk for an individual criminal is the added risks for all his crimes.

Re:How often they get caught

[michaelhood]

These cards can't be faked? We've seen perfect fake IDs (Drivers' Licenses) here in the States.

Re:How often they get caught

[blueandwhiteg3]

I wouldn't go assuming they're all men...

As a CISSP...

[bc90021]

...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.

It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!

Re:As a CISSP...

[filth+grinder]

As you said, it's cheaper to do it right the first time, design good comprehensive security in from the ground up.

Now, I'll tell you how it works in the real world. Most of these social network sites are designed small. Some odd project that happens to catch on and spiral out from there. Most sites start out small and then explode. This isn't giant corporations with lots of employees. Hell, most of them aren't even start ups. They are guys in basements who had an idea for a site, it took off. Through donations and subscriptions they gains size and scaled their programs up. Now they need to worry about things like SSL and site performance, and it's too late.

It should have been done from the ground up, but it wasn't. Things like SSL and good tight security don't get built in when you never intend for projects to get as big as it does.

Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack.

It's even easier to sit back and scoff, "you should have done it in the beginning".

Re:As a CISSP...

Actually, it's easy just to stick Apache in front of an app, buy a certificate, and turn on SSL. These securityfocus guys are engaging in yellow journalism here, trying to make a story where one doesn't really exist.

Re:As a CISSP...

[bc90021]

That is true, however:

I wasn't scoffing. ;)

Secondly, it is easy to let security go slack. And that is my point. I have seen way too many places do just that. Everyone starts small. But how many people plan to stay that way?

How hard is it to use two commands to generate a CSR? If you don't know how to do it, Google for it. GeoTrust has step-by-step instructions, as it's in their interest. Don't know how to run Apache securely? Pay a consultant, or ask a knowledgeable friend. By posting to craigslist or slashdot, they could have found someone willing to trade services for potential profit sharing or even a free account for life.

I'm not saying that things like memcache or the databases aren't important, and shouldn't have been prioritised. But they ignored security, and their customers have already payed the price in some instances. There comes a point where the diminishing returns of working on everything *but* security will start to directly affect everything else, and that is what has happened here.

Re:As a CISSP...

When you say 'that is what has happened here', do you mean that someone has paid some price because these sites aren't secured by SSL? Who?

Or do you mean that the companies have paid the price by being the target of bad press?

Re:As a CISSP...

[Dulimano]

I work for such a site (wiw.hu). The parent gives a perfect description of our situation.

Re:As a CISSP...

[bc90021]

Both.

The companies obviously got bad press. And the article states that at least one customer had his account hacked into, and those entries he kept private were posted publicly, embarassing both him and his friends.

All it takes is for that to happen to someone who has a good lawyer as a relative, and all of a sudden lack of security translates into legal expenses.

Re:As a CISSP...

it's so easy, slashdot still hasn't done it.

Re:As a CISSP...

[James_G]

Look at a site like Livejournal. It started small, and now it's taken off to being incredibly popular. They had a small team working on the site who had to decide what stuff needed to be done. Once the site got large, you have to go, "well, the site is running slow as it is, do we set up some more databases, work on memcache, or impliment SSL which will bog down performance even more." Obviously in order to stay in business they had to improve the site performance and struggle to keep good service up. It's easy to let security go slack

Yeah, nice example, except (and I'm quoting from the front page of livejournal.com here):

"Plans for 2004
Things we're interested in working on this year:

Secure logins and password changes using SSL and challenge/response (this is finished, but we're going through final testing now)"

Re:As a CISSP...

[lelnet]

It certainly is easy to set up SSL, more or less the moment you start collecting money (or the moment you're confident enough that money will eventually come that you buy a certificate out of pocket).

The problem is that SSL (as usually practiced on the web...ie server-side certificates but no user-side ones) is in no sense whatsoever a solution to the security problems that these sites potentially face. Web-style SSL is a fair-to-middlin' solution to the nonexistent problem of man-in-the-middle sniffing of credit card numbers, but it offers no defense whatsoever against impersonation attacks, which any rational analysis says are the biggest security threat to this kind of site.

Acquiring the cargo-cult trappings of security is easy, these days. Really becoming secure is rather harder, and does require forethought.

I STOLE A WHOLE BRANCH OF FRIENDS

and I feel damn cool for doing it. They still haven't figured it out.

It's just common sense

[Waffle+Iron]

Only a total idiot would post a message on a site that doesn't use a secure login procedure.

Oh, wait...

Re:It's just common sense

[/dev/trash]

You can login via SSL at K5

what a bunch of idiots...

One friend feared that she might lose her job when a private entry about problems with her supervisor was made public

Rule 1:
If you want to keep something confidential, don't post it on a free website.

If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."

Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.

Even with SSL

[tr0llx0r]

you're far from safe. SSL connections are vulnerable
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of /.) to realise
that anything they transmit over the net is sniffable
with a little effort.

In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.

GNAA!

Re:Even with SSL

you're far from safe. SSL connections are vulnerable to MiTM attacks - we saw this with M$ Passport, hotmail etc. The only solution to these problems, is for people (ie the average user of /.) to realise that anything they transmit over the net is sniffable with a little effort. In a dorm or corporate lan environment, all it takes is one trojaned Cmdr Taco fucking you asss, and all you CC numbers are belong to us.

Re:Even with SSL

[m0rph3us0]

SSL is safe for people who read warning messages.

Re:Even with SSL

Take it a step further than that, even. SSL has demonstrated vulnerabilities, but even if you tunnel your HTTP connection over SSH using AES encryption, security could still suck.

Encrypting transmissions only solves the problem of transmission. What about how well the data is protected once its already there? Are passwords hashed on the server or stored plaintext? If they're hashed, are they hashed properly? If they're hashed properly, are they adequately protected? Is the server itself well protected against unauthorized access? The list goes on.

The way I explain this to my wife is: what good is a secure browser connection if the company on the other end prints out your credit card number on paper and doesn't shred it? It's even easier to dumpster dive than it is to sniff packets.

Re:Even with SSL

[netjeff]

SSL connections are vulnerable to MiTM attacks [...] In a dorm or corporate lan environment, all it takes is one trojaned laptop running a sniffer, and all you CC numbers are belong to us.

A trojaned laptop running a sniffer is not a man-in-the-middle (MiTM) attack. SSL is safe against sniffers. For MiTM, you need to compromise a router/switch. Or else compromise a proxy that the network requires you to use for external web-access.

Re:Even with SSL

[Kent+Recal]

I think what you say is wrong.
SSL/TLS is not vulnerable to MiTM when configured properly and used properly.

The main cause why MiTM on SSL can happen in the wild is that most browsers allow you to override SSL-warnings and establish a connection even tho the identify of the other end can't be guaranteed.

Whenever your browser presents you with a warning message (whatever it is) regarding the SSL-connection that it is about to establish then make sure to realize that you could as well switch back to plain http at that point.

Re:Even with SSL

[stefanb]

[A]nything they transmit over the net is sniffable with a little effort.

I do realize this is /. but this is just bullshit. SSL/TLS is not vulnerable to man in the middle attacks as long as the trust chain is not violated.

Are there many people out there that do not understand that just clicking Yes when they're presented with a warning will expose them to all kinds of malicious attacks from some random web site? Yes, sure.

But any security system is only going to hold up if the people using it understand it's limitations. Namely, in the case of SSL/TLS, that the Root CA's whose certs are embedded in your browser are doing a proper job of only handing out certs to trustworthy people.

And how many "security experts" still believe that using your own CA is somehow less secure than one of the commerical ones, when dealing with VPN/Intranet traffic?

Re:Even with SSL

Wouldn't arp spoofing work also? What if that laptop with the sniffer on the network pretended to be the gateway for the network by spoofing an ARP response and sending back its own mac address faster than the real gateway could? When a new machine boots up on the network, it would be inadvertently redirecting its traffic through the fake gateway. Now once the gateway traffic is being routed through the laptop, it can then send fake SSL certificates when anyone makes an SSL connection and although the SSL connection is being encrypted, it is being encrypted to the fake gateway's key which can decrypt that and re-encrypt the data to the real site's key and do this without any warning on the client if they are running a non-patched version of Internet Explorer that failed to validate the certificate chain.

eCommerce Failure

[pipingguy]

All the more reason to allow "anonymous", one-time use of purchased credits.

Like phone cards - pay cash and use it online as you wish without easy tracking.

Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.

Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.

Re:eCommerce Failure

[metlin]

There is another solution to this - use a check card.

I have an account which has very little money that I use just for online transactions and at clubs.

Usually, my online purchases don't exceed $100, so I just pay using that account. And when there is a need for me to pay more than that amount, I just transfer the amount to my checking account.

Not exactly very convenient, but it works just fine for me. And it sure as hell is safe.

Re:eCommerce Failure

[pipingguy]

That's a good idea, but it lacks marketing impact.

The poor typically don't have multiple bank accounts.

Re:eCommerce Failure

[metlin]

True, but just how difficult is it to set up a new account?

In fact, there are a lot of banks that support small businesses and have no minimum balance requirements (Wachovia, for one) for checking accounts. And there is almost no fee for maintaining the accounts, either.

I know that its not a "cool" idea but the point is that its simple and it works! I think once people are convinced of the after-effects of identity thefts, it would not be too hard.

Its almost like having multiple slashdot ids ;-)

Re:eCommerce Failure

[greenegg77]

Yeah, you may only be liable for $50, but the extra bottle of Tums you down after seeing your balance skyrocket plus the fun of playing with your CC company disputing the transactions makes up for the rest of the balance. I'm moving to companies that offer one-use numbers.

Re:eCommerce Failure

[Detritus]

Check with your bank on their policies for overdrawn accounts before you rely on separate accounts. When a check was presented that was far in excess of my checking account balance (due to MICR data entry error), my ex-bank just took the money from another account that had sufficient funds to cover the check. I didn't find out about it until I got my monthly statement. As far as I can tell, no human was involved in making the decision. The bank runs on autopilot for routine decisions. I eventually got all of my money back and the service charges refunded, but it was a pain in the butt.

Re:eCommerce Failure

[M.+Silver]

fun of playing with your CC company disputing the transactions

In my experience (mostly secondhand), disputing the transactions is ridiculously easy (provided you have a good credit rating and history of paying on time)... the credit card company just eats the charges and goes on its merry way, and doesn't even make a significant effort to find the perps.

This is not especially comforting, being that if this is happening with any sort of frequency, you know the company's not going to say, "Well, we'll just have to take it out of the CEO's salary"... it's coming right back around in fees and interest rates.

So even when it's easy, you don't get to put away the Tums, because you get to think about how you're ultimately paying bits and pieces of a *lot* of these sorts of incidents, even when they "forgive" all the charges (including the $50 liability, too... after all, if their customer has to pay any VISIBLE charges, they're liable to actually rock the boat about it).

Re:eCommerce Failure

[thogard]

use a check card
How stupid.

With a check card, your have all the liability while with the credit card its with the bank (-$50 in both cases according to the law but set at $0 by the CC compaines)

If I take $10,000 out of your account and the bank finds you at fault even if you never had more than $100 in the account, they will take all of your next paycheck. With a CC, your stuck with a bad credit report. Don't consider the best case for fraud, always consider the worst case when weighing your options.

MODS ON CRACK?

This is totally on topic!

P.S. Got internal server error AGAIN when clicking submit.

it's always been this way

[ohzero]

the web doesnt change anything. Especially if you're talking about "hackers." SSNs, Credit Card numbers, and many other implements of destruction have been made available to those who would crack systems or sift through garbage cans since I can remember. There's really two points that matter:

• There are people who participate in identity theft via any means possible, because that's the life they lead.
• Social security numbers in and of themselves ARE the vulnerable entry point because the information flow to and from them is bidirectional.

The only possible suggestion here is the same one that's been played over and over on the record entitled "keeping your information safe for dummies," which is "use caution and reason in any transaction you make.

Offtopic?

Actually, that was not offtopic (nor flamebait, nor troll.) Moderators, please read the article before moderating. (Reading the moderator guidelines wouldn't hurt either.) kthx

Boycott social networking sites

[Seth+Finklestein]

A lot of good has come out of the "social networking" craze. I have personally blogged about a lot of this on my personal blog that I administrate myself. You'll notice that I have discovered a very unique piece of software called "Movable Type" that allows me to blog what I want without surrendering any information to the outside world. That's right: every time you go to Friendster, LiverJournal, or another so-called "community" site, you are subjecting yourself to a host of vulnerabilities. Read the privacy policies: these sites surreptitiously save data to your hard drive through the use of so-called "cookies"; they may serve intrusive ads that interfere with your web browsing experience; and they may fall prey to black-hat "crackers" (not "hackers").

Personally, I feel that every third-party site is not to be trusted. For the greater good of the blogosphere, I believe that the future lies in individually unique weblogs connected by a perfectly synergistic system of TrackBack pings.

Sincerely,
Seth Finklestein
Social Networking Consultant

It's an interesting proposition

[Fortunato_NC]

In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.

But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.

Seems like a rather immutable Catch-22 to me...

Re:It's an interesting proposition

[kfg]

The same is true IRL as well. Put the best lock on your front door that you want, it really doesn't matter. I'm coming in through the window anyway. Boarding up the windows reduces the utility of your house and just forces me to come in through the basement.

You could build a wall around the house I suppose, which again is a pain for you, not to mention expensive, and doesn't slow me down all that much really, but it makes me nice and invisible from the street once I get in. So now you have to add all the electronic gizmos. . .

I think Patton had something to say about fortifications.

Most physical security amounts to efforts to keep slightly dishonest people honest as regards your property. You don't have to outrun the bear, just your buddy.

The bad guys are going to do a certain amount of winning. It's selfish but the trick is to do your best to make sure it's the other guy who looks like the rube so you get left alone.

'Cause if they really, really want you, they're going to get you sooner or later.

Having bodyguards didn't help Indira Gandhi one little bit.

KFG

Re:It's an interesting proposition

"Having bodyguards didn't help Indira Gandhi one little bit." nor JFK p.s. Cobain was murdered, too.

Re:It's an interesting proposition

[Jeff+DeMaagd]

I was on a Yahoo or Google group for promoting an annual event that didn't require a log-in to post a question. The problem is that it was spammed with nasty political crap and the admins didn't care, they would rather see spam than turn away a person too impatient to log in. OK, that's my slant but I think the point remains.

The admins thought that registering is too much of a pain so it stays open. The problem that didn't register with their little minds was that if a user weren't going to spend the time to register, will they even remember to return to get the answer to their question.

it'll go on like this until somebody pays dear...

[demonhold]

It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.

It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...

What do we expect anyway, common sense is the less common of senses..

Something's wrong here

particularly their lack of SSL logins

As if that is our problem. That's the wild-west attitude: if you can't secure yourself, you deserve whatever you have coming for you.

Why should we invest in something that's a self-evident fundamental right (even on the net): security.

What we need here is strong action from the world governments. Make the net a safe place for everyone!

Re:Something's wrong here

I know what's wrong! You forgot the .

PARENT IS COCKSUCKER!

you fucking fag.

IF I EVR MEET YOU I WILL FUCK YOUR ASS!

# messages before posting your own to avoid simply duplicating what has already been said.
# Use a clear subject that describes what your message is about.
# Offtopic, Inflammatory, Inapp

The question is the wrong one

[lgeezer]

Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs. That, and given the value of the Internet is to allow people to connect in new ways unencumbered by worrying how to pay for it suggests that the problem here is not how to provide technically secure transactions.
The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don't stare at other guys for too long. That is how they are personally secure, not because the mall guards have guns.
So a more interesting question is not "how can you make other people more secure?" but "how do you make yourself more secure?" Publish your results, and best practice will win.

Re:The question is the wrong one

Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs.

You can buy SSL certs from www.instantssl.com for US$49. Works with any modern browser (99%+). No need to pay the verisign prices.

I had to hack phpbb and get an SSL cert...

[mellon]

...which cost me >$100, in order to have some password security on the bulletin board I run. phpbb would mail the password out in the clear, and didn't allow you to log in over SSL. It wasn't a big deal to hack it, but I was surprised that it wasn't an option. It may be that more people would use decent security if the software they ran supported it.

Re:I had to hack phpbb and get an SSL cert...

[Anonymous+Crowhead]

$49 ssl certs

Re:I had to hack phpbb and get an SSL cert...

[mellon]

They don't work with enough browsers. :'(

They claim that they do, but I tried one (a two-month demo cert), and immediately ran into users that couldn't use the cert. I have a lot of users with really old computers. Sigh.

Re:I had to hack phpbb and get an SSL cert...

[Anonymous+Crowhead]

We had that problem too. After tweaking the SSLCipherSuite directive in http.conf (and canceling support for Netscape 4.x), we have solved most if not all of the issues.

Re:I had to hack phpbb and get an SSL cert...

[mellon]

Cool. Maybe I'll try that next time - thanks!

Compare with Europe

[Aens]

Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?

And there are some obvious reasons for this:

- Nobody in Europe has mail boxes without a lock. European mailbox are usually flat, upright, rectangular boxes with a slit on the top of the front where the mailman drops the letters and they fall down a slide so you cannot get them out without using either very long pliers or, of course, the key to unlock the door at the back.

- No bank would give you a checking account or a credit without checking your ID card and making a photo copy of it and noting the number. (Remember that in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)

- All laws and courts agree that a reasonbable proof that somebody did make a business transaction is a signature on a piece of paper, or at least some computer record showing that the customer has entered a secret PIN. 'Secret' meaning, that nobody else should be able to know it. (PINs are printed out by the banks' computer systems and put in a sealed envelope without any employees being able to look at them.)

- Especially, if you told a court that a business transaction was valid because you checked the caller's identity on phone by asking for his SSN (or some lcoal equivalent of this), his date of birth or his mother's maiden name, the judge would probably only laugh at you.

While staying for half a year in California, I was quite astonished about the lax way of checking identities common in th US.

(For example, I got liability insurance for the used car I bought by just phoning the company. The guy asked for my Visa card number, then said 'Fine. Your car insurance is valid starting now, i.e. 4:13 pm.' That was great and convenient, but after all, I still prefer the European way, where they'll first ask 'So, how do we know, that this was your credit card number, and not taken from some receipt you picked out of a trash can?'. As the very least they would want proof of your address so that they can send you a court summons in case you tried a fraud.)

Re:Compare with Europe

Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?

Yes I did. That's because I read the post made months ago that you copied this from.

Re:Compare with Europe

[HeghmoH]

I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.

I have no real contention with the rest of your statements, just this one.

Re:Compare with Europe

in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)

Even though this looks like a copy, I'll respond.

I am a french citizen. I have a CARTE NATIONALE D'IDENTITE, which consists of a photograph attached with 2 rivets to a cheap paper and a bad stamp. With this document I can enter france (and most of the EU), and it's trivial to forge this document.

Re:Compare with Europe

[nightgeometry]

I always thought you Americans had to show a reasonable amount of documentation when opening a bank account, to prove that you were *you*

I have to say that I am English, not American, so I could be talking rubbish (which is not unknown...)

Wired has a rather old article about this, and i remember doing some project work for a large US bank in London for this. No idea if anything came of it though.

(Of course, by the sound of it, from the parent poster, nothing much did come of it)

Re:Compare with Europe

[pipingguy]

Banks here (Canada) have digitized reproductions of the original account owner's signature. How far away are we from having a face image in the database?

And will this generate more of that face-ripping-off crime?

Re:Compare with Europe

[HeghmoH]

Well, I am a bit out of date, the last time I opened a US bank account was in the fall of 1998, which is before the publication of that article. (The account is still open, though!)

However, I don't get the impression that things have changed. Whenever I complain about how much crap you have to go through to open an account in France, and how it takes roughly 10 minutes with no paperwork in the US, nobody has ever jumped up and said, "Wait, that's not true, I opened an account last month and I had to...."

I don't think that such a system would be very practical, because there are quite a number of people who (legally) exist in the US without any ID at all. If you don't drive and don't travel outside the country, you can get away without having one. Suddenly requiring all of these people to get ID just to have a bank account would make a lot of people angry. There have been efforts to require ID to vote, and it has made a lot of people angry exactly because of that.

But I also could be wrong. Although I'm American, I haven't been involved enough in the American financial system to be anything remotely approaching authoritative.

Re:Compare with Europe

I think Dead Kennedys said it best with: Give me convenience or give me death...

Bah.

Re:Compare with Europe

PATRIOT Act (yes, that one) requires from banks to verify identity of the people before opening bank accounts.

Re:Compare with Europe

[Perky_Goth]

it sure as hell looks pretty trivial to forge an ID card... but, it does bring some security.
However... i had to cancel a few cards at the bank, and they asked me for no ID. I had to renew my drivers license, and no ID again. So, all of those who are crying about loss of freedom, it's not a big deal. In Portugal, police can take you in for identification if you can't provide it, but that's it.
And about mailboxes... they're not that safe... i open mine with an old bicicle lock key...

Re:Compare with Europe

[thogard]

ID theft in Europe is about the same rate as in the US, its just that there are nearly 0 prosecutions so unlike in the US where 1 in 7000 get caught, its more like one in a million.

Re:Compare with Europe

[wik]

A few years ago, PA tried to sell its drivers licence database (including digital pictures) to some Florida company for about $100M. At the last minute, common sense whacked the state goverment in the head and the deal was called off. They basically wanted the cash.

We aren't that far off from the face images in company databases.

Re:Compare with Europe

Face-ripping-off; that hurts!

Re:Compare with Europe

[theCoder]

If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?

Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).

Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you :)

Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that would make it much harder for the authorities to find it.

Re:Compare with Europe

[DAldredge]

Credit card provides, at least in the USA, provide address and name checking. When you did this, where was you credit card bill being sent to?

Re:Compare with Europe

[BlueUnderwear]

If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?

If this is a checking account, you have the possibility to overdraw it. Eurocheques have a maximum guaranteed amount, so the bank cannot really bounce them... The bank must protect itself against customers who open a checking account, deliberately overdraw it, and run.

Article is spot on. Happened to me..

[SlashdotCEO]

I had my identity stolen about 8 years ago. It suuuuuked!

In San Francisco, when some people move out, they throw all this crap they don't need anymore on the curb. I saw this thoughout the city, time and time again, so when it came time for me to move, I did the same.

I got rid of almost everything! This included, tons of old papers - possibly old pay stubs. Big NO NO! At one point, I even noticed some people looking through the big pile. "Just people who like crap", I thought.

Six months later, the Postmaster General Attorney's office in San Jose calls me saying they've arrested someone on postal fraud that had my name and info in his little black book. It was under a section that basically was ready to have a drivers license and social security card issued in my name with this guy's picture!

To make a long story short, the guy went to prison and I had to notify all agencies where I had any type of id or credit/bank card to put a watch on them for the next six months.

My lesson learned: shread everything.

However, online, this is a totally different issue and the only thing I can suggest and do about that is to check into companies and try to make sure they are responsible about how they store your credit-card information. I've personally written to all the online companies I use to ask as how they protect my information. If it ever seemed like they weren't up to snuff, I explained my concerns and asked for some sort of reassurences. Although, I must admit, that's not the best thing and sometimes letters to the BBB and other groups/agencies are necessary.

YOU FUCKING FAG

you suck cock, gaiboi.

Re:YOU FUCKING FAG

Don't look now, but I think he's sucking yours.

Re:YOU FUCKING FAG

ahh, I wondered why some guy was on his knees with his face buried in my crotch!

I am astonished

I, for one, am quite astonished that you would accept such a blatant violation of privacy as a national ID card and even think that it is a "good thing".

Fortunately it will never fly here in the UK. We are still human beings, not numbers.

Re:I am astonished

you make no sence.. do you have a drivers license? then you have an id card.. wtf..

Re:I am astonished

Yeah, but I do not have to show it to a cop (even if requested) or to a clerk in a bank.

You see, some of us are still free...

Re:I am astonished

[SiliconJesus101]

Well, until you get arrested for not producing identification, at which point in time the cop will remove your ID from your wallet so that he can get your identity. Basically, the cop has a suspicion that you may be involved in something and requests that you provide identification.

This is the same as the morons that are happy about the fact that the police in my area cannot get into a high speed chase unless they are in pursuit of someone who is in the commission of a felony. Well, guess what kiddies; fleeing and eluding is a felony in itself and will thus warrant a high speed chase.

The bottom line is that it's very easy to talk smack on the internet but I can assure you that if a cop asked for your ID...you damned sure would hand it over.

Re:I am astonished

Well, until you get arrested for not producing identification, at which point in time the cop will remove your ID from your wallet so that he can get your identity. Basically, the cop has a suspicion that you may be involved in something and requests that you provide identification.

That depends on your local laws. In my country, (not the US) the police can ask for ID, but you do not have provide it unless you are under arrest. As well, no law requires you to carry ID with you all the time. I am not a US lawyer, but I believe it's the same in the US.

In some countries, you are required to carry ID. It is a crime to NOT carry ID and provide it when asked.

Define "user"

[czardonic]

An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.

Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?

Re:Define "user"

[djrogers]

An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.

And yet you use /. insecurely...

Re:Define "user"

[timeOday]

An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.

That's nonsense, I can't imagine a setup that couldn't be made more secure by making it even more useless. Putting information on a computer at all is a concession to security for the sake of convenience. The hardest database to steal is two tons of filing cabinets in a vault.

WHAT?!?!?!?!?

Slashdot doesn't use or require SSL logins???

I'll have Taco's balls for this!!!! Yes siree!

Hey Taco, instead of constantly fiddling with the lameness filter and the moderation system, how about implementing basic security. Either that, or you could go home to Kathleen. [shudder]

Lameness filter encountered. Post aborted!

Reason: Your subject looks too much like ascii art.

COPIED POST

Post above is copied from one made months ago by a different poster. Please mod accordingly.

Re:COPIED POST

Parent is a copy too Read the posting guidlines

Re:COPIED POST

how'd you find this out?

the anti-slash db tool is to be used strictly for karma whoring, not to bust the karma whores.

Why can't slashdot have a search function that compares to the trolls'?

Re:COPIED POST

the anti-slash db tool is to be used strictly for karma whoring, not to bust the karma whores.

Doesn't make much difference. Idiots are still modding them up anyway, even after it's been pointed out.

Weakest Link

Sure its nice to have SSL, but 90% of breakins are due to compromised email accounts, especially hotmail (where to change a password you just need a correct response to a user-generated question like "What is my favorite color"). Not to mention hotmail's past reputation with security issues.
The user is always the weakest link, the'll click/run on anything that looks tempting, and its going to take a buttload more than SSL to protect against that.

Hi Vlad!

What's Reza up to these days? Judging by her photos, I'd say 600lbs!

HAW! HAW! HAW!

Parent is troll

Parent is linking to same post in order to confuse moderators.

Re:Parent is troll

Yeah, and somehow he's managed to change the name of the poster and the date of posting... oh, and the story it's attached to. Fiendishly clever.

Re:Parent is troll

um, they link to the SAME THING

fucking troll you are

Re:Parent is troll

No they don't.

Re:Parent is troll

yes they do. you're a troll

Re:Parent is troll

prove it

Re:Parent is troll

ok... proof,

Re:Parent is troll

[Perky_Goth]

LOL.
slashdot...
check one of the last comments by him, there's an offtopic discussion on how he's a bit of a troll.

Satisfying, carefree sex

That's sex with your sister.

The question is: how do you talk her into it?

I know some of you slashdotters have "done the nasty" with your dear sis. Don't hold back. How did you do it?

Re:Satisfying, carefree sex

That's, quite frankly, disgusting.

Get a fucking life, freak.

Security Focus...

I clicked on the story reference and after 10 or so irritating cookie alerts told my browser to put the referenced host onto the unconditional cookie reject list.

Referenced story looks bona fide.

WTF?

Identity Theft

[sparklingfruit]

I've heard the rate at which people who commit identity theft get caught is around 1 in 7000.

So you have a much better than 99.9% chance to just do it to your heart's content and walk away with the money. That's pretty freakin' scary. A crime where you never have to see your victims, never have to face any consequences, and make tons of money. Can you imagine what would happen if a misguided Robin Hood decided to popularize the techniques and teach them to America's poor? Would the entire banking industry collapse at once? With a million people doing it simultaneously you would obviously overload the already overloaded investigative ability of the gov't and probably change the ration to 1 in 100,000 getting caught.

Re:Identity Theft

I liked this message the first time I read it, when it was posted by Robert Arnold.

Re:Identity Theft

Given that there are two posts further up that have both been modded up to +4 and +5 that are blatant reposts of other people's works, it's hardly surprising that he thought he could get away with it.

Money needs to go

Money is just a piss poor patch (at best) to the
problem of people just not being able to get along
with eachother.

another case of blame crooks for being crooks

instead of protecting their inf..

the real threat to yOUR social system is the constaNT suck of the endlessly needy corepirate nazi marketeering execrable, if you don't couNT the georgewellian fuddite debt & disruption machines.

both 'institutions' fail miserably, & sadly enough, voluntarily, in the area of protection of personal information, unless it is their own, & even then, they just fail buy ineptitude.

consult with yOUR creators... that's it. you are entitled to some privacy. it's a huge planet.

disposable CC numbers

[aaandre]

Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).

You log on to their web site with your account info and gener... Oh, wait...

POST IS A COPY

Seriously, it's already been pointed out once that this post was blatantly plagiarised from an earlier one. Why are people STILL modding this regurgitated crap up?

web-hosting is THE solution

[axxackall]

Now they need to worry about things like SSL and site performance, and it's too late.

It's never late. Getting working site under SSL is 2 hours to 2 days work. I did it few times and never had any serious performance problems.

And if performance is still a problem, isn't reasonable to consider a web-hosting? If application is done one anything that a web-hosting company can run (Perl, Java, ASP, even Zope) then both performance and SSL are even less problem - most of hosting companies provide SSL and have no performance problems. The thumb rule is: if you don't know how to do the job right - give it to people who know the drill.

And your alturnative idea is...

[Saeed+al-Sahaf]

You don't see the need for SSL on a journal / blog site... Then how do YOU propose to manage security and prevent hacks? Will you feel differently when YOUR account is hacked? No, SSL is virtually required (Oh my! I like that!) for this sort of thing, and overhead is highly overstated.

On the other hand, I tend to think people who live through their on-line journal / blog need to find a real life.

Article Slant

[bradfitz]

I'm Brad Fitzpatrick, from LiveJournal.

The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"

Things we talked about that she decided to ignore in her article:

-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.

-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated

-- we don't let users do any major action (like, oh, change the account's password) without the original password.

-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.

Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.

Re:Article Slant

Agreed, this article was poorly written and obvously wanted to stir up ratings.
It fails to address how people will click/run on anything that is presented to them...
I thought SecurityFocus had better reporters than this.

Re:Article Slant

[metalpet]

yeah, journalists with an agenda are a bit evil, but it's not all bad:
- LJ gains some exposure from this
- real security folks reading over this most likely won't feel livejournal is that far behind. Half of the complains in the articles are generic (phishing, impact of social networks on an account compromise), and the other half is mild (there might be XSS there, just like anywhere else), or unreasonable (what? you're sending session cookies over a non-SSL connection? how dare you!)

Brad, I'd suggest you post a copy of your reply at this url:
http://securityfocus.com/cgi-bin/sfonline/fo rms/co mment_form.pl?section=news&id=7739
SecurityFocus happens to have a fairly visible forum system, you might as well use it.

Re:Article Slant

Wow a digest, Can't wait to mutate your javascript to send the password in the clear, or impersonate your site. Good thing she didn't mention your stupid sugestion it shows how silly your ideas for security are. Digest don't cut it tardo.

Re:Article Slant

[metalpet]

You don't have to wait.
This little site happens to implement exactly the kind of javascript digest challenge/response he's talking about.
This sends a non-replayable authentication token over the wire from which the password cannot be derived.

You can certainly "mutate" the script to send your password in the clear, but an even better attack would be to write your password in big letters on a web page, and post the URL here.
I'm looking forward to hearing more of your brilliant scheme to let the world know your password in spite of this mechanism.
However keep in mind this is really meant to protect legitimate users from attacks, not stupid people from themselves.

Re:Article Slant

Poorly written? Weird I didn't notice that.
As for the click/run anything that is presented I believe that this is her point. Perhaps if security can't be achived through technical means due to XSS holes, SSL speed, 'click/run' stupidity, then you shouldn't be creating the false sense of security that social discovery networks rely upon to get people to reveal sensitive information.

Re:Article Slant

Well the mutation is done by a person with access to the wire (or wireless), sometimes refered to as an active adversary. The attacker changes the form that the user types the password in so that they don't use a digest.
You can also impersonate the site. SSL protects against all of this with validation of the CN in the certificate, and a cryptographic signature for the data.

Re:Article Slant

[metalpet]

Okie dokie. So I assume you agree a javascript challenge/response system is sufficient to protect against a passive man in the middle attack (aka sniffing). SSL is sufficient for this as well.
Now, it is true such a system could be vulnerable to an active man in the middle attack, but the very same applies for SSL, as ettercap has shown.
Active man in the middle attacks are darn hard to prevent, and SSL alone is not sufficient to do it.

Re:Article Slant

It is better than nothing, and stops a passive attacker aka sniffer but not a man in the middle, which is a common attack. It also fails to protect from:
- fake sites with hijacked DNS
- offline dictionary attacks on the challange response pair
SSL is not vulnerable to these attacks, the people posting about MiTM have nevery read a book on TLS or SSL obviously, stick with SSL v3 or TLS with some decent ciphersuites (AES, SHA1, RSA) > 128 bit keys and live is good.

Also the author's point about the site included some stuff about cross site scripting, I believe she mentioned the lack of SSL more as a way of pointing out they don't care about security at all. Certainly his high speed home grown SSL replacement isn't going to get him anything but scorn from the clueful security community.

Re:Article Slant

[metalpet]

well there's plenty of practical evidence MiTM attacks for ssh and ssl are real, no matter what books may say about it.
I'm also fairly sure the recent %01 bug in IE could be used advantageously to cheaply pretend to be someone else's SSL server. The URL will look ok, the little lock will be closed, and no warning popup will show up. That's good enough for 99.9% of users.
I remember a time when web spoofing was just a theorical attack.

Anyway, if you re-read brad's post, his home grown SSL replacement will be rolled out at the same time as a full SSL login system, with most likely the javascript version being the default.
This will allow the SSL believers to feel comfortable, which keeping the overall system load at an acceptable level.

Re:Article Slant

[gilgongo]

Not trying to troll, but how do we know you're the real Brad Fitzpatrick?

Ha ha, only serious. But your profile is blank, and I can't see your PGP key - which might be construed as ironic under the circumstances ;-)

Re:Article Slant

Good points. There are often holes in implementations of SSL that make it practically useless against a MiTM attack.
Hopefully this will get much better over time as Microsoft (as if) gets it's act together on security. I had misunderstood his parallel rollouts of the two systems, probably because his quotes in the article make it sound like SSL isn't required.
I wonder if SSL would have been included in the update without this article making it to slashdot.

Re:Article Slant

[zby]

That's strange that your answer at the original article comments has so litle of the details you unveiled here.

Re:Article Slant

[BlueUnderwear]

-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)

I just have to comment on this. Many people have Javascript switched off due to security (cross site scripting, annoying popups/popunders, ...). They might not be worried about these issues on your site, but on other sites, and might be tired of switching JS on and off everytime they visit a different kind of site. So they just leave it off permanently. Indeed, not every browser supports per-site JS settings like Konqueror does. Ironically, with your "secure" JS-based login procedure you would be shutting those security-conscious users.

Other users may not have access to JS due to disability. Blind users often use lynx with a braille line or a text-to-speech synthesizer. And last I checked, lynx does not support JS (and it would probably not make much sense anyways in a text-only browser). Be careful not to run afoul of the ADA.

SSL would be a much preferable solution. It's much more standard, more secure and supported by all modern browsers, including lynx and other text-only browsers.

eBay's lack of SSL

[thedillybar]

To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.

This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.

Re:POST IS A COPY - SO WHAT?!

(I am not the poster you are talking about and I have, in fact, karma bonus when I post with my account)

So fucking what?!

Are you so hung up on the concept of karma that you can't stand the idea of someone gaining it?

Fuck you. The post is ON TOPIC and INSIGHTFUL. It doesn't matter if it was or was not original.

It is YOU who should be modded down. Asshole.

University requirements

[thedillybar]

While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).

Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.

After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)

Re:University requirements

While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).

Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.

After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)

File a real complaint with the university and sue under FERPA.

UMichagan is a state school, and state laws apply. The university is violating its password policy and its student records policy.

Call your student government, and get them involved.

Call your student newspaper, and get them involved.

Call your local TV news, and get them involved.

And talk to a lawyer.

You'd be amazed how quickly a university can respond when bad publicity and legal threats rear their ugly heads.

Re:University requirements

Publicize it.

Get an article in the college's paper (I assume you have one there?) complaining about this and explaining how someone could hijack this system.

Be sure, however, that the article does not use your name. The only problem with this would be if you complained to them in a non-anonymous manner. The sad thing is that whenever you do whistle-blowing like this, you NEED to be anonymous. I did my best to follow my own advice when reporting vulnerabilities to the staff of my college and, thankfully, suffered no consequences as a result (in theory, they could've prosecuted me with violations of their rules within the university, even though during it all I was only trying to help them fix broken security... but I made it so that they had no one to punish for their own mistakes...)

Re:University requirements

[endx7]

Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.

Well, -you- are trying to prevent others from obtaining it while they might not be. If something does happen, point fingers. You kept up your end, and mentioning their problem then might help. And my guess is you'll have an advantage legally?

You have got a lot to learn

Sorry. That is real life for you.

Lesson 1: no-one likes a smart-alec.
Lesson 2: no-one likes the person who points out faults in their system.
Lesson 3: no one is interested in the truth/optimal performance.
Lesson 4: EVERYTHING IS ABOUT POLITICS (this is the capital rule).

So please, for your own sake, shut the fuck up and kiss the dean's ass (or donate big bucks) if you wish to accomplish something.

Re:You have got a lot to learn

And as long as assholes like you bend over, things will never change.

Re:You have got a lot to learn

Get back to the frat, pledge.

FUD

[segment]

For most (l)users who don't understand SSL, most times they'll end up ignoring OpenSSL certs that weren't signed by so-called 'Trusted Signers', often going into a site without using SSL, thinking the cert is not to be trusted. I threw a 4096bit cert for my FOIA docs, Openwebmail, and some other stuff, and people always ask me about that annoying little 'Trusted Signer" warning.

Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier

Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source)

Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.

It's called PLAGIARISM

Being a copy isn't a bad thing in itself. Copying someone else's post and re-posting it as your own is plagiarism. I think most most people on Slashdot would agree THAT is a bad thing.

Re:It's called PLAGIARISM

Yep, if he wants to point out the previous post, he can link to it. If he wants to make the same points again in his own words he can write it himself. Just ripping off someone else's post is pathetic.

PLAGIARISM: HOW TROLLS BUILD KARMA

I generally like the options for moderating on Slashdot, but we really need a -1 Plagiarism moderation for posts like the parent. The parent post as well as several others under this article are being copied from a previous Slashdot article on identity theft. These accounts will be used for trolling at Score:2 later on if people keep modding them up.

Awww...

[Toby+Studabaker]

I bet you were the guys in school who ratted on the people who were cheating in an exam.

THAT's pathetic.

I will keep modding these guys up because they are not offtopic, trolls or flamebaits.

Re:Awww...

They are not offtopic but they are trolls and the very process of plagarizing another person's comment is flamebait.

Re:Awww...

[Michalson]

>I bet you were the guys in school who ratted on the people who were cheating in an exam. >THAT's pathetic. Yes, because knowingly letting someone cheat on an exam, and thus possibly *steal* your position at whatever university/college you might want to go to, or perhaps (but less likely since most employers aren't looking at exact scores) *steal* the job you applied for because they appear more qualified on paper, is sooo "uncool". Of course you do realize it was the losers too stupid to pass a simple exam who came up with that and other illogical stigmas in an attempt to cover their asses.

Where do you think I got money for my campaign?

Dr Howard Dean

Troll Alert

[missing000]

Feeding trolls is bad.

Re:Troll Alert

[bhtooefr]

Hmm, a Slashdot Jihad member, now a supporter of the GNAA, and he's got nero-online.org/lastmeasure as his site? Sounds like we've got a troll on our hands (and a new entry in my foe list!)

Re:Troll Alert

heaven forbid someone criticizes the blatant hypocrisy of the Slashdot staff...

Happened to someone else?

[AndroidCat]

If this is a plagiarized post, then nuke-mod him. Still, a plagiarized about identity thief is mildly funny, and certainly ironic.

Re:Happened to someone else?

There's nothing funny about the sheer volume of plagiarised posts made today. Stupid little kiddies are trying to make the site unreadable, and they're getting close to succeeding.

Re:Happened to someone else?

[AndroidCat]

And what's worse, they only seem to have 13 of my posts on file!

The posting-bots are only half of it. I'm sure that they keep a large enough stable of minimum use puppet IDs such that some of them always have mod points. (Remember the BBS program Pyroto Mountain? Slashdot reminds me of that sometimes.)

The other day, I noticed a new article had over 50 posts, and all but 10 had been modded down to -1. This must be a real pain for the slashdot crew.

shame really

as they have a SSL certificate, they just 302 you instead of processing the login then 302 you

but i guess programmers know best right ?

SSL vs javascript

[moncyb]

well there's plenty of practical evidence MiTM attacks for ssh and ssl are real, no matter what books may say about it.

Funny, both those documents said the user's client would display a big red warning saying: "HEY DUMBASS, THERE IS SOMETHING WRONG WITH THE SERVER'S KEY." It isn't the protocol's problem if the user doesn't understand basic security and will ignore warnings.

I'm also fairly sure the recent %01 bug in IE could be used advantageously to cheaply pretend to be someone else's SSL server. The URL will look ok, the little lock will be closed, and no warning popup will show up. That's good enough for 99.9% of users.

So because one crappy browser has a bug which may potentially be exploited, we should forget about using SSL for security? Whatever you say.

BTW, I check the cert every time I log into an important site, though an IE bug won't affect me because I use that other crappy dragon browser (for HTTPS anyway, I use Dillo for most everything else.)

I don't know what the AC's problem was (Troll? LJ is just a blog site, and the article even said the main problem was users giving away their passwords), but it is stupid to say some javascript code is as secure as SLL. Especially using windows troll logic--"there is a potential hole in X, so it negates the tonnes of glaring holes in my favorite Y. Y is clearly better." It may be more secure than nothing, but don't just make crap up.

Maybe you should've pointed out Master Fitzpatrick already said he was working on it and asked the AC troll why it wanted to break into 14 year old girl's blog accounts anyway. ;-)

Re:SSL vs javascript

Are you kidding? I'd love to break into a 14 year old girl.
Oh, sorry, misread the comment....

It's not stealing

[KalvinB]

it's copying.

Ben

Re:It's not stealing

Kinda. I was going to say that thats certainly a misuse of 'Theft', stealing it isn't you're right but what is it? Copying is impersonation fraud in a legal sense.

I think it's quite unique because the 'victim' can actually play no role whatsoever in the crime.

The person being attacked is the idiot whos beleif (security) is so slack that s/he takes an impersonator to be you. If you lose money as a result of this your real beef should be with that person who failed to apply proper scrutiny.

Thats one way of seeing it. But Imagine you are a small business whos customers are regularly sloppy with their security and leak easily to imposters. Who should bear the resposibility now?

There are potentially 2 victims to every crime and since it can't be proven easily who was to blame its quite a sticky situation.

My thoughts end with this...

Certain comapnies like Verisign have set themselves up as 'certificate providers' and their pitch is all about 'trust'. But when you analyse it all logically they actually do jack shit, they simply say 'trust us' and make a killing selling random numbers to people, if ever there was a money for nothing scam these guys have got it licked!! :)

What certificate providers should ACTUALLY be is third party intermediates in a 3 way transaction whereby they VALIDATE that both parties are who they claim at the time of transaction and UNDERWRITE the transaction (insure it as well as assure it).

Selling random numbers and commanding trust will not help anyone, or am I completely misunderstanding SSL?

social networks = valuable private data

[obtuse]

I'm a little wary of some of these social network tools, because social network information is incredibly valuable & sensitive. Putting my info onto Friendster seems like yielding too much of my privacy, and I guess I also don't see the payoff. In direct personal relationships, my liability is limited both in scope and in time. If I meet a vicious sociopath, there's only so much he can do, he can pretty much only get me without a lot more work, and I'm mostly vulnerable to him only when I'm nearby.

Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.

The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.

It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.

One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.

Sure, probably nobody will come looking for me, but I lock my doors at night anyway.

I do know people who wouldn't have gotten certain jobs if their network of friends was known.

Why banks ID customers

I can tell you why banks want ID for their customers, even for a checking account.

Last year, someone opened two checking accounts using my name: one in Cyprus and one in Germany. Then they broke into my E*TRADE account and wired all the money from "me@etrade" to "me@bank-of-cyprus" and "me@some-german-bank".

E*TRADE got all the money back but it sure ruined my month. And now I have instructions on all my bank and brokerage accounts: "no outgoing wire transfers. Ever."

The point is that a bank account accepts deposit and wire transfers, which the bank then acts to collect on behalf of the customer. That's why banks want proof of identity just to open an account.

And that amounts to...

... the empty set!

YourReputation.com

[DigitalNinja7]

YourReputation.com (https://www.yourreputation.com) is another real-world social network type of site that doesn't have such flaws. It uses SSL for its logins, and third-party, commercial-grade identity verification before people can post. We believe this is the type of service all social network sites should switch to, to protect their userbase.

Create your own community site

[gpoul]

Anyone who cares about security should setup their own site for their community and close it down and have it use SSL. This way it's also not such a big strain on CPU as this is only for a few people.

In addition you set the policy and shouldn't let anyone else in, so your posts can't be leaked. (Though you should be prepared for it, as anything that is on an internet-connected device has to be considered in-danger)

In addition I'm still not sure why people and businesses still use _unsigned_ and _unencrypted_ mails. If mails would be signed from the merchant or journal site it would be much easier to catch fake mails! How hard can it be?

Not Much Different From Real Life

[osewa77]

Consider the fact that its just as easy to get such sensitive information by installing spy cam or hidden microphone in your home, through your friends, etc with or without SSL.

Online or offline, there's always a trade-off between convenience and security and these sites are no exception. SSL tends to be slower because it requires more round trips between the server and client, much more processing power, etc and sites know that performance affects their popularity.

The rule of thumb should be: get informed about how easy it is for someone to hijack information you put on any social networking site and and don't put it there if you think someone may be sufficiently motivated to do so in your own case.

One thing social networking sites can do is provide higher security, including SSL, to those that need it and perhaps charge them more. Besides the free e-mail providers like Yahoo and Hotmail have a similar problem to solve on a much larger scale!

For the record...

[jvaillant]

LinkedIn has been using SSL since day one, not just for the login page but for every page of the site. The application is also constantly tested and hardened against XSS and other OWASP vulnerabilities. Security is a real concern to us and is factored in every aspect of our design and implementation.

Jean-Luc Vaillant, VP Engineering, LinkedIn