Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier On Un-Authentication

Posted by CmdrTaco on from the gimme-back-my-keys dept.

Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"

13 of 336 comments (clear)

  1. How do you un-authenticate? by Anonymous Coward · · Score: 1, Informative

    By disconnecting. Problem solved. Next story, please.

  2. I lock my computer when I walk away by yincrash · · Score: 2, Informative

    ctl + alt + del -> k on windows, and ctrl + alt + l on ubuntu. that's all. a lot of offices also have windows security policies set to lock the screen after 5 minutes idle.

    1. Re:I lock my computer when I walk away by Deag · · Score: 4, Informative

      I'll save you a keystroke, windows-L works too.

    2. Re:I lock my computer when I walk away by Anonymous Coward · · Score: 1, Informative

      Yup. And/or hopefully your competent sysadmins have configured (and locked down the ability to change) the screensaver timeout to a reasonable threshold of 15 minutes or so.

    3. Re:I lock my computer when I walk away by MyLongNickName · · Score: 2, Informative

      If no activity for X minutes, lock the PC and send an email reminder to the user that says "Hey Dumbass, lock your PC when you leave".

      Yeah, because I never sit at my desk for ten minutes on a phone call or reviewing paper notes.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    4. Re:I lock my computer when I walk away by clone53421 · · Score: 2, Informative

      Windows doesn't support it in a multi-user network environment. I don't know why, but it doesn't.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  3. Solutions that work, but are too bulky. by Animats · · Score: 5, Informative

    Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.

    Nobody would tolerate that today. Except, maybe, for an ATM.

  4. Put the onus on the client by SuperBanana · · Score: 2, Informative

    You make the client system re-authenticate after a configurable amount of time, and that authentication comes via central storage of authentication passwords/tokens. For example, Keychain.

    My laptop is set up with SSHKeychain, and it has options for locking my Keychain. If I activate the screensaver and don't come back within 3 minutes or so, it locks the keychain, and any program that wants to use a stored password triggers a password authenticaton dialog box for the system keychain password.

    This puts the power of security in the hands of the user or organization. Computer at home, no roommates? Probably not an issue to lock your keychain any time except when you shut down your computer. Work in a cube? After 5-10 minutes of inactivity or whenever you lock your screensaver.

    --
    Please help metamoderate.
  5. Location based devices.. by Bert64 · · Score: 2, Informative

    Some places use smartcards, the card must be in the slot or it locks your screen... The same card is also used to open the doors so if you leave the room without taking the card then you can't get back in. Most people had the card attached to their belt or similar.

    Another idea is to track the location of your phone using bluetooth (10 meters range), if you walk too far away it loses signal and locks the screen.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. Re:applies the burninator by Zordak · · Score: 2, Informative

    Do a "Print Screen" of their desktop and set it as their wallpaper. Then set their taskbar to auto-hide and set the desktop to hide icons. Enjoy watching them click all over the reactionless bmp trying to open stuff.

    --

    Today's Sesame Street was brought to you by the number e.
  7. Re:Effective way to keep screens locked by Anonymous Coward · · Score: 2, Informative

    You used someone else's credentials so that you could obtain a physical object for free, and you caused actual monetary damages for an innocent victim. This is not comparable to a nebulous "it's not real stealing" case like downloading music or movies. You committed either theft, fraud, or both, in a very real-world sense.

  8. Re:Effective way to keep screens locked by mcrbids · · Score: 2, Informative

    This is brilliant!

    Or it would be if I, as the sysadmin, couldn't easily send email in anyone's name...

    Wow. Don't you feel important? Except that, really, ANYONE can send an email as ANYONE else, at ANY TIME. Here's a tip: type the following in a telnet prompt, where your ISP's mail server is called "smtp.myisp.com"

    # telnet smtp.myisp.com 25
    HELO foobar
    MAIL FROM: billgates@microsoft.com
    RCPT TO: samjones109@yahoo.com
    SUBJECT: Free drinks on the house!

    Hey! I gots my billions of dollars so come down to Joe's bar at 5:30 and drinks are on me!

    -Billie Richboy. .

    Congratulations! You've just faked being Bill Gates to Sam Jones! Wasn't that hard?

    A few times, I've gotten a cheap kick sending text messages via the SMS gateway to cell phone users from themselves. It helped out once when I had a gal friend whose ex-boyfriend was giving her grief - freaked her ex out to send messages that looked to him like they came from his phone: ("Just leave me alone...")

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  9. Re:TLS/SSL by afidel · · Score: 2, Informative

    OCSP/CRL, certificate revocation list. If you have found a fraudulent site or a legit site who's cert has been compromised contact the signer and have them add it to their CRL/OCSP blacklist. I'm not sure if there is any mechanism for a local CRL, though you can certainly stop trusting a signer if they show a significant lack of diligence in screening their clients.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.