Schneier On Un-Authentication

← Back to Stories (view on slashdot.org)

Schneier On Un-Authentication

Posted by CmdrTaco on Monday September 28, 2009 @03:51AM from the gimme-back-my-keys dept.

Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"

21 of 336 comments (clear)

Min score:

Reason:

Sort:

Effective way to keep screens locked by stefanb · 2009-09-28 03:52 · Score: 4, Funny

A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)
Apparently, very few people left their machines unlocked more than once...
1. Re:Effective way to keep screens locked by MyLongNickName · 2009-09-28 04:09 · Score: 5, Insightful
  
  So, you are a thief?
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
2. Re:Effective way to keep screens locked by aardwolf64 · 2009-09-28 04:11 · Score: 5, Funny
  
  Of course, the fun rose exponentially when two people had their machines unlocked. I would frequently carry on a whole phantom conversation.
  "Hey, let's go to lunch tomorrow"
  "I can't, I have to wax my hamster"
  "I didn't know you had a hamster"
  "..."
3. Re:Effective way to keep screens locked by MyLongNickName · 2009-09-28 04:35 · Score: 3, Insightful
  
  No, moron, you are basically having a charge appear on someone else's account for services you got.
  And the services are not purely electronic. You got a service that really cost someone else money.
  And on top of that, you assume I download music/other files illegally. I don't.
  So, not only are you a thief, but you are not very bright. And you jump to conclusions that are not supported by the facts.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
4. Re:Effective way to keep screens locked by Velorium · 2009-09-28 04:35 · Score: 3, Insightful
  
  Well see here, you actually created a charge for somebody else to pay. The first thing of know-how to piracy is that stealing is removing an item (what you did). Piracy is making a copy of an item (downloading). If you're trying to justify actually stealing something, do so in a way that's at least somewhat logical.
5. Re:Effective way to keep screens locked by cbiltcliffe · 2009-09-28 04:38 · Score: 5, Insightful
  
  How is using physical paper and toner paid for by someone else with their money the same as downloading a digital version of a movie that you already have the VHS for, but it got chewed up when your VCR died?
  There's a very good reason why the laws of virtually every country in the world DO NOT consider downloading data to be theft.
  Because it's not.
  It's copyright infringement.
  I'm not saying it's right, or justified, or anything to do with the moral right or wrong of it. If you come out with a comment about how I'm a scofflaw just because I don't think it's stealing, you've just shown your own immaturity, and complete lack of awareness of the situation, as well as sheer arrogance in putting words in my mouth.
  The simple legal fact is, the two are not connected in any way, regardless of entertainment industry propaganda.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
6. Re:Effective way to keep screens locked by HAKdragon · 2009-09-28 04:41 · Score: 3, Funny
  
  The real fun is to create a new folder before doing the screenshot and then deleting it right after.
  
  --
  "Our opponent is an alien starship packed with atomic bombs. We have a protractor."
7. Re:Effective way to keep screens locked by MyLongNickName · 2009-09-28 04:49 · Score: 5, Insightful
  
  Hi Commodore,
  You again make assumptions about my behavior. I can quite honestly tell you I have not done any of the above except ad blocking, which is neither illegal nor amoral.
  You again fail to see the very obvious. You charged your services to someone else's account. This isn't complicated.
  As far as my "sinning", yes I have done things I wish I hadn't. However, you come here bragging about what you have done, and then continue to justify your actions using absolutely moronic logic. if you want to follow your "sin" analogy, then you have not "repented". While you are unrepentant, you are to be treated as though you an outside, shunned and ignored.
  The bottom line is that you stole from the people you did this to.
  
  --
  See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
8. Re:Effective way to keep screens locked by AmiMoJo · 2009-09-28 05:41 · Score: 4, Interesting
  
  You can get little RFID tokens that you keep in your pocket. When you move out of range of the RFID reader on the PC (about 3m away) it automatically locks the workstation and can either require a password to unlock or simply having the token back in range.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:Effective way to keep screens locked by Anonymous Coward · 2009-09-28 05:46 · Score: 3, Funny
  
  I was 17 and stupid
  Well, at least you aren't 17 anymore. 1 out of 2 isn't bad.
Re:I lock my computer when I walk away by Deag · 2009-09-28 03:55 · Score: 4, Informative

I'll save you a keystroke, windows-L works too.
Solutions that work, but are too bulky. by Animats · 2009-09-28 04:14 · Score: 5, Informative

Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.
Nobody would tolerate that today. Except, maybe, for an ATM.
1. Re:Solutions that work, but are too bulky. by fuzzyfuzzyfungus · 2009-09-28 04:58 · Score: 3, Insightful
  
  Trouble is, anywhere except a building full of guys with guns, you would also have encountered an ingenious arrangement of paper clips and/or packing tape holding the door sensor permanently in the closed position...
Reauthenticate when suspicious by Geoffrey.landis · 2009-09-28 04:16 · Score: 3, Interesting

Requiring re-authentication whenever a logged-in user does something suspicious-- i.e., tranferring large amounts of money, installing a keylogger, sending out ten thousand e-mail messages, scanning networks for open ports, etc.-- might be useful.
If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.

--
http://www.geoffreylandis.com
MS solved this problem, but removed it with W2K+ by Tumbleweed · 2009-09-28 04:19 · Score: 4, Funny

Windows 95/98/ME had a built-in solution to this problem, but MS removed it in the Win 2K and newer. They simply had the machine crash every 2 hours. Heavy handed, sure, but it worked.
Re:How do you un-authenticate? by spydabyte · 2009-09-28 04:27 · Score: 4, Insightful

You're the first person to address the real issue he's talking about and not the simple example of leaving a computer unlocked.

Think of a remote connection to Remote Desktop for Windows. When does the server know when to sever the connection? Is it after some time delay of minimal activity? If it's left authenticated for time X, and the ability for the traffic to be hijacked is Y, are X and Y proportional?

It's not as simple as I walk away from a physical machine anymore. My favorite is when an application doesn't close when you press the X in windows (upper right) or OS X (upper left). It's connections are still left open, leaving authentication on opening the application worthless.
It still works in XP by davidwr · 2009-09-28 04:34 · Score: 3, Funny

At least it does on my compu[BSOD graphic goes here]

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:It still works in XP by CannonballHead · 2009-09-28 05:27 · Score: 3, Funny
  
  that's cool, your BSOD also pushes preview/submit automatically. :)
Re:I lock my computer when I walk away by Ephemeriis · 2009-09-28 04:45 · Score: 4, Funny

Then make the lock at 11 minutes or u can give your mouse a click while u re talking.Doesnt sound that hard.U just have to adopt.
But... I don't want any more children.

--
"Work is the curse of the drinking classes." -Oscar Wilde
This is De-Authorizing, not De-Authenticating by zentechno · 2009-09-28 04:58 · Score: 4, Interesting

One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.

--
âoeThe wall between art and engineering exists only in our minds.â -- Theo Jansen
In the Marine Corps... by RingDev · 2009-09-28 05:51 · Score: 3, Funny

Any time someone left a machine unlocked in the MC we would pounce on it. It would take less than 2 minutes to get emails out to the appropriate members of the chain of command to volunteer the Marine for every shit duty we could find (and swap his or her desktop background screen saver to something highly entertaining or inappropriate).
-Rick

--
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs