Schneier On Un-Authentication

Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"

Effective way to keep screens locked

[stefanb]

A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)

Apparently, very few people left their machines unlocked more than once...

Re:Effective way to keep screens locked

[DevStar]

We used to do the same thing at my job, until someone quoted the employee guide to point out that using someone elses computer without permission was against company policy and potentially a firing offense. That ended that.

Re:Effective way to keep screens locked

[Ephemeriis]

The bank in one of our local grocery stores has frighteningly lax security...

There's a computer running Windows XP there, against the back wall, with the screen in plain view of anyone walking by. It is pretty much always on and always logged in, sitting at the Windows XP desktop. Usually with a couple programs minimized in the taskbar. It's also got a desktop wallpaper set with BGINFO, so it's displaying the computer name and IP address and whatever else.

The grocery store itself stays open long after the bank closes, and that computer is sitting there logged in and vulnerable. I don't know how many people (dozens? a hundred?) walk past it in a night. There's no security gate or anything, so somebody could probably just vault over the countertop and do something malicious if they wanted to... The security cameras would probably pick that up, but it might be too late. Of course there's a distinct possibility you wouldn't even need to do that... You might be able to get something useful just by standing at one of the checkout lines and snapping pictures with a decent digital camera.

And there's a couple more computers set up with their backs towards the customer... I assume these are for tellers to sit down and consult with people. They're set up kind of like a private consultation booth or something - maybe for folks looking to discuss a loan or whatever.

These two computers are literally sitting on the counter top with their backs towards the customer. Sure, you can't see the screen, which is an improvement... But I bet you could slip on a hardware keylogger without looking too suspicious. People are constantly walking through or idling there, waiting for someone to finish up in the store.

Re:Effective way to keep screens locked

[MyLongNickName]

So, you are a thief?

Re:Effective way to keep screens locked

[aardwolf64]

Of course, the fun rose exponentially when two people had their machines unlocked. I would frequently carry on a whole phantom conversation.

"Hey, let's go to lunch tomorrow"
"I can't, I have to wax my hamster"
"I didn't know you had a hamster"
"..."

Re:Effective way to keep screens locked

[clone53421]

All that means is I have to watch for you leaving and get there before the screen saver kicks in.

Re:Effective way to keep screens locked

[MyLongNickName]

No, moron, you are basically having a charge appear on someone else's account for services you got.

And the services are not purely electronic. You got a service that really cost someone else money.

And on top of that, you assume I download music/other files illegally. I don't.

So, not only are you a thief, but you are not very bright. And you jump to conclusions that are not supported by the facts.

Re:Effective way to keep screens locked

[Velorium]

Well see here, you actually created a charge for somebody else to pay. The first thing of know-how to piracy is that stealing is removing an item (what you did). Piracy is making a copy of an item (downloading). If you're trying to justify actually stealing something, do so in a way that's at least somewhat logical.

Re:Effective way to keep screens locked

[cbiltcliffe]

How is using physical paper and toner paid for by someone else with their money the same as downloading a digital version of a movie that you already have the VHS for, but it got chewed up when your VCR died?

There's a very good reason why the laws of virtually every country in the world DO NOT consider downloading data to be theft.

Because it's not.

It's copyright infringement.

I'm not saying it's right, or justified, or anything to do with the moral right or wrong of it. If you come out with a comment about how I'm a scofflaw just because I don't think it's stealing, you've just shown your own immaturity, and complete lack of awareness of the situation, as well as sheer arrogance in putting words in my mouth.

The simple legal fact is, the two are not connected in any way, regardless of entertainment industry propaganda.

Re:Effective way to keep screens locked

[HAKdragon]

The real fun is to create a new folder before doing the screenshot and then deleting it right after.

Re:Effective way to keep screens locked

[MyLongNickName]

Hi Commodore,

You again make assumptions about my behavior. I can quite honestly tell you I have not done any of the above except ad blocking, which is neither illegal nor amoral.

You again fail to see the very obvious. You charged your services to someone else's account. This isn't complicated.

As far as my "sinning", yes I have done things I wish I hadn't. However, you come here bragging about what you have done, and then continue to justify your actions using absolutely moronic logic. if you want to follow your "sin" analogy, then you have not "repented". While you are unrepentant, you are to be treated as though you an outside, shunned and ignored.

The bottom line is that you stole from the people you did this to.

Re:Effective way to keep screens locked

[ScrewMaster]

At one point, I put together a low-powered 40 Khz. IR transmitter and receiver that would detect when anyone was sitting in front of my computer. As soon as I got up and walked away, it would invoke the screen saver. As soon as anyone sat back in front of the machine, it would bring up the login prompt. Worked very well, actually. I'm sure some company somewhere marketed some similar security scheme, although I never bothered to look. Huh, now that you made me think of it I should go see if I can find the thing and update it for USB.

Re:Effective way to keep screens locked

[MobyDisk]

I worked at an office where we used Baggy pantsing to achieve this same effect. It worked brilliantly until on particular manager tried to make it seem like we were causing the problem, not pointing it out. I don't think that person lasted too long though.

Re:Effective way to keep screens locked

You used someone else's credentials so that you could obtain a physical object for free, and you caused actual monetary damages for an innocent victim. This is not comparable to a nebulous "it's not real stealing" case like downloading music or movies. You committed either theft, fraud, or both, in a very real-world sense.

Re:Effective way to keep screens locked

[Ephemeriis]

No. What I did was no more stealing than when you (and lots of other people) download movies, songs, or tv shows. It's not real property - it's just internet data.

Think about it. If I'm right - it's not stealing. If you're right, then it is stealing and so too is downloading/bittorenting and you too are a thief. (ponder) Ooops.

When I download a song (which I will readily admit to doing) I use my own disk space and bandwidth, which I paid for, to make duplicates of bits stored on another server. While I may very well be failing to pay for the song (actually, I usually do pay for it) I am not actually taking anything away from anyone. The act of making my own copy of those bits does not remove those bits from the original owner's possession. That's why it's called copyright infringement and not theft.

You, on the other hand, made printouts. Those printouts used paper and toner. That paper and toner was removed from the printer by your hands. You took those printouts with you. You physically removed those printouts from the original owner's possession.

You, making those printouts and not paying for them, is the same as me walking out of Staples with a box of printer paper that I didn't pay for. It is theft.

The fact that you used another student's login to hide your actions does not make it any better.

The fact that other human beings on this planet have "sinned" does not make it any better.

Re:Effective way to keep screens locked

[AmiMoJo]

You can get little RFID tokens that you keep in your pocket. When you move out of range of the RFID reader on the PC (about 3m away) it automatically locks the workstation and can either require a password to unlock or simply having the token back in range.

Re:Effective way to keep screens locked

I was 17 and stupid

Well, at least you aren't 17 anymore. 1 out of 2 isn't bad.

Re:Effective way to keep screens locked

[clone53421]

I just hit Windows-L on the keyboard as I'm getting up.

In fact, if I'm not using the computer, it's usually locked – even if I'm at my desk doing paperwork.

Re:Effective way to keep screens locked

[lkl]

One morning at the office all the files in the home directory of a colleague were missing. After digging around a bit he concluded that someone had apparently mkdir ~/.remember_to_log_out mv ~/* ~/.remember_to_log_out

Re:Effective way to keep screens locked

[mcrbids]

This is brilliant!

Or it would be if I, as the sysadmin, couldn't easily send email in anyone's name...

Wow. Don't you feel important? Except that, really, ANYONE can send an email as ANYONE else, at ANY TIME. Here's a tip: type the following in a telnet prompt, where your ISP's mail server is called "smtp.myisp.com"

# telnet smtp.myisp.com 25
HELO foobar
MAIL FROM: billgates@microsoft.com
RCPT TO: samjones109@yahoo.com
SUBJECT: Free drinks on the house!

Hey! I gots my billions of dollars so come down to Joe's bar at 5:30 and drinks are on me!

-Billie Richboy. .

Congratulations! You've just faked being Bill Gates to Sam Jones! Wasn't that hard?

A few times, I've gotten a cheap kick sending text messages via the SMS gateway to cell phone users from themselves. It helped out once when I had a gal friend whose ex-boyfriend was giving her grief - freaked her ex out to send messages that looked to him like they came from his phone: ("Just leave me alone...")

Re:Effective way to keep screens locked

[vegiVamp]

Yep, did that. Also changed win.ini to have shell=clock.exe.

Re:Effective way to keep screens locked

[Seedy2]

But surely you can just sit down at a locked computer, then look at the sticky note and log in anyway.

Re:Effective way to keep screens locked

[harry666t]

A lot of laptops have builtin webcams these days. Couple that with some simple face recognition. When the face disappears from the view, lock the screen.

Another idea - bluetooth. Virtually all cell phones and a lot of laptops have it. A small BT adapter should cost about a few bucks. libpam-blue is already there.

I lock my computer when I walk away

[yincrash]

ctl + alt + del -> k on windows, and ctrl + alt + l on ubuntu. that's all. a lot of offices also have windows security policies set to lock the screen after 5 minutes idle.

Re:I lock my computer when I walk away

[Deag]

I'll save you a keystroke, windows-L works too.

Re:I lock my computer when I walk away

[MyLongNickName]

If no activity for X minutes, lock the PC and send an email reminder to the user that says "Hey Dumbass, lock your PC when you leave".

Yeah, because I never sit at my desk for ten minutes on a phone call or reviewing paper notes.

Re:I lock my computer when I walk away

[MyLongNickName]

I am more referring to the email part, not the lock part. Locking is fine. The automated email doesn't.

And for god's sake, this is not AOL. Please don't type like you are.

Re:I lock my computer when I walk away

[Ephemeriis]

Then make the lock at 11 minutes or u can give your mouse a click while u re talking.Doesnt sound that hard.U just have to adopt.

But... I don't want any more children.

Re:I lock my computer when I walk away

[Anpheus]

Why? They work great as the "meta" key in Linux, at least for the US keyboard layout I end up getting.

Re:I lock my computer when I walk away

[adrianwn]

Yeah, that'll teach the establishment a lesson, you little rebel!
Fuck the system, man!

Oh, and I nearly forgot: "Arise, chicken! Chicken, arise!"
(for the uninitiated: ATHF)

Re:I lock my computer when I walk away

[Geoffrey.landis]

Unless your password is in the hundreds of thousands of characters, I highly doubt that it is 'un-rememberable'. Just take your normal password, make the p455w0rd 1337, then make one of the letters in the p455W0rd capitalized. There, you have a secure password that only requires that you remember which letter you capitalized.

A secure password?? That would be easy enough if I only needed "a" password, not fifty. (and one of the rules I do follow-- apparently the only person in the universe who does-- is to never use the same password on two different systems). And if I didn't have to change it every month.

Except that even then your system fails, since it has to have upper and lower case and numbers and symbols, and has to start and end with a letter, and one of the first eight characters has to be a number, and a couple of other constraints that I won't mention.

Re:I lock my computer when I walk away

[clone53421]

Windows doesn't support it in a multi-user network environment. I don't know why, but it doesn't.

Re:I lock my computer when I walk away

[Tynin]

A secure password?? That would be easy enough if I only needed "a" password, not fifty. (and one of the rules I do follow-- apparently the only person in the universe who does-- is to never use the same password on two different systems). And if I didn't have to change it every month.

Well, if you are able to set your own passwords you can still use a similar setup to what pwffff was suggesting.

Say you have 50 passwords, each needs to be diff, and they change every so often. Make all your passwords start with p455W0rd, then the next 2 (or more if you are so inclined) characters you could use to signify which server / app / product it is to be used with, and then have the next 2 characters increment for each time you are mandated to change your password.

i.e.[base password][few character to identify the system you are logging into][few character to increment your password for reoccuring passwd changes]

and really it can be in any order you are comfortable with and can be massaged into working with some crazy password requirements.

Password 1 = p455W0rd0101
In 3 months, or whatever the policy is, you'd change it to Password 1 = p455W0rd0102

And for your next password, you'd have it start as Password 2 = p455W0rd0201
and next time you change it, increment the last 2 digits. p455W0rd0202

Bottom line is if you never tell anyone that your base password starts with p455W0rd, then I don't think having a personalize system of 2+ characters to distinguish which system the password is for, and another 2+ characters to allow to reoccurring password changes would make your password any less secure, with the benefit of making them easier to remember. For extra security, add some ! _ - @ % etc characters to break up the 3 parts to your password. i.e. p455W0rd#02!01

I have an ungodly number of passwd's to remember, and I used to feel your pain until I started doing this. Good luck!

Article states the obvious

[jbezorg]

Designing systems for usability is hard, especially when security is involved.

Meh.. I was hoping for some deeper insights than that.

Solutions that work, but are too bulky.

[Animats]

Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.

Nobody would tolerate that today. Except, maybe, for an ATM.

Re:Solutions that work, but are too bulky.

[fuzzyfuzzyfungus]

Trouble is, anywhere except a building full of guys with guns, you would also have encountered an ingenious arrangement of paper clips and/or packing tape holding the door sensor permanently in the closed position...

Reauthenticate when suspicious

[Geoffrey.landis]

Requiring re-authentication whenever a logged-in user does something suspicious-- i.e., tranferring large amounts of money, installing a keylogger, sending out ten thousand e-mail messages, scanning networks for open ports, etc.-- might be useful.

If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.

MS solved this problem, but removed it with W2K+

[Tumbleweed]

Windows 95/98/ME had a built-in solution to this problem, but MS removed it in the Win 2K and newer. They simply had the machine crash every 2 hours. Heavy handed, sure, but it worked.

This is more a policy issues then a technical one

[bleh-of-the-huns]

While yes, there are technical measures that you can put in place to automatically lock screens and accounts and such after a pre determined time period, the best solution is a policy, and actual enforcement of that policy. There in lies the problems in many organizations, enforcement is not being done consistently.

With technical controls, there is always that time frame, for example idle accounts, usually 30 days from last login and then automatically lock the account, well a malicious user has 30 days to which to attempt access to that account. Same goes for screen locks, 15 min is a common default, well you walk away and I have 15 min to make my way over and have fun with the account. You can reduce the amount of time, but that has other issues, users get annoyed at the screen locking while they are on the phone, or whatever while they are at their desk, results in crappy passwords.

With a policy, and enforcement behind it, accounts can be removed, users will lock their screens (hopefully) within a timely manner.

Re:How do you un-authenticate?

[spydabyte]

You're the first person to address the real issue he's talking about and not the simple example of leaving a computer unlocked.

Think of a remote connection to Remote Desktop for Windows. When does the server know when to sever the connection? Is it after some time delay of minimal activity? If it's left authenticated for time X, and the ability for the traffic to be hijacked is Y, are X and Y proportional?

It's not as simple as I walk away from a physical machine anymore. My favorite is when an application doesn't close when you press the X in windows (upper right) or OS X (upper left). It's connections are still left open, leaving authentication on opening the application worthless.

Pwning

[al3]

In my office an unlocked computer is fair game for harmless pranks that have become known simply as pwning.

Nothing too nasty happens as the shame is in having been pwnd, not in the severity of damage inflicted.

There, my computer just announced "it's one thirty" in a robot voice. Nice. Thanks a lot, guys.

It still works in XP

[davidwr]

At least it does on my compu[BSOD graphic goes here]

Re:It still works in XP

[CannonballHead]

that's cool, your BSOD also pushes preview/submit automatically. :)

Put the onus on the client

[SuperBanana]

You make the client system re-authenticate after a configurable amount of time, and that authentication comes via central storage of authentication passwords/tokens. For example, Keychain.

My laptop is set up with SSHKeychain, and it has options for locking my Keychain. If I activate the screensaver and don't come back within 3 minutes or so, it locks the keychain, and any program that wants to use a stored password triggers a password authenticaton dialog box for the system keychain password.

This puts the power of security in the hands of the user or organization. Computer at home, no roommates? Probably not an issue to lock your keychain any time except when you shut down your computer. Work in a cube? After 5-10 minutes of inactivity or whenever you lock your screensaver.

Re:Paper?

[MyLongNickName]

Hardcopy Playboy. It gets around the web monitoring software.

Re:How do you un-authenticate?

[Stormwatch]

My favorite is when an application doesn't close when you press the X in windows (upper right) or OS X (upper left).

On a Mac, that closes the window, but the application is still running.

Location based devices..

[Bert64]

Some places use smartcards, the card must be in the slot or it locks your screen... The same card is also used to open the doors so if you leave the room without taking the card then you can't get back in. Most people had the card attached to their belt or similar.

Another idea is to track the location of your phone using bluetooth (10 meters range), if you walk too far away it loses signal and locks the screen.

Re:Electronic Noses ...

[fuzzyfuzzyfungus]

If you are running KDE, and want proximity detection, you can set it up to listen for your phone's bluetooth radio and lock/unlock in response to the absence/presence of that signal.

Kbluelock.

This is De-Authorizing, not De-Authenticating

[zentechno]

One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.

Re:applies the burninator

[Zordak]

Do a "Print Screen" of their desktop and set it as their wallpaper. Then set their taskbar to auto-hide and set the desktop to hide icons. Enjoy watching them click all over the reactionless bmp trying to open stuff.

Re:Bad company policies then

[mcgrew]

Then the screaming started. Folks would walk away from their computers and come back to a locked screen... But they wouldn't know how to log in. They didn't know what username and password to put in there because it looked ever so slightly different from what they saw when they first showed up in the morning.

You have to have the cooperation of the people at the top of the organization, who would send a memo to everyone saying that for security reaons, this is what you WILL do, and failure will result in discplinary action. If you're a hospital or something you would be insane not to. It worked where I work.

Or someone would walk away for an hour or two without logging off, and someone else would have to use their computer while they were gone.

You need more computers then. Everyone here has one on their desk, I thoght that was pretty much the norm at any company.

Or someone would want to quickly glance at some information, but the computer would be locked and they'd either have to unlock it themselves or find someone else to unlock it.

It only takes a few seconds to log back in. And once it's explained to them how to do it, they shouldn't have to ask again.

If I were in your position I'd be looking for a job somewhere that's likely to still be in business in five yeras, because it sounds to me like you sre surrounded by idiots from the CEO on down. I'd hate to have a job like that, and if they're as stupid as you make them out to be, I don't know how they're going to stay solvent.

Of course, in a lot of instances you don't really need security; if it's a small shop with a dozen people working there, everyone with a key to the building whose doors stay locked the physical security should suffice. I have my home PC set up so I don't have to enter a PW at all unless I need to do something as root.

Re:Dictionary

[coolsnowmen]

I disagree. Google is a search engine and doesn't always know which is the best answer (or even the right one).

A Merrian-Webster dictionary or OED is considered a primary source for standard word definition (or existence). In the academic and engineering world we care about where the 'facts' come from. So sources do matter.

If you know where to look in a trusted and accurate source, you should always go there before a search engine. Yesterday, I needed to know the syntax for srncpy. So I typed man strncpy, I didn't goto google.

In the Marine Corps...

[RingDev]

Any time someone left a machine unlocked in the MC we would pounce on it. It would take less than 2 minutes to get emails out to the appropriate members of the chain of command to volunteer the Marine for every shit duty we could find (and swap his or her desktop background screen saver to something highly entertaining or inappropriate).

-Rick

Re:Locking a CLI?

[clone53421]

I have no idea how to do it in bash, but you can easily lock a computer from the command line in Windows.
rundll32.exe user32.dll,LockWorkStation

Another one:
rundll32.exe shell32.dll,SHExitWindowsEx [0|1|2|4|8]
0: logoff, 1: shut down, 2: reboot, 4: forced shutdown, 8: powers down the machine

This would be a fun one to put in the Startup menu of someone who left their PC unlocked, actually... :D

Re:TLS/SSL

[afidel]

OCSP/CRL, certificate revocation list. If you have found a fraudulent site or a legit site who's cert has been compromised contact the signer and have them add it to their CRL/OCSP blacklist. I'm not sure if there is any mechanism for a local CRL, though you can certainly stop trusting a signer if they show a significant lack of diligence in screening their clients.