The "possible solution" you posted on your blog is the very same technology that we developed this phishing MiTM attack against.
The technology is called Passmark. It's made by RSA, and licensed to a lots and lots of financial firms. This is primarily due to the fact that it is far cheaper to roll out than a real SecureID token. Although, to be fair, SecureID tokens can be man in the middle'd too. However, a SiteKey/Passmark MiTM is far worse, as the attacker can login to your bank account later - instead of only having one time access with the SecureID. In any case....
Your blog post merely explains how one signs up for Passmark/Sitekey. It is not a solution to the problem, but is the very security system that we bypass with our project.
Please read the blogpost (the very subject of this slashdot thread), and watch the video. You will see striking similarities between the Bank of America authentication scheme and the one you post about.
It's really simple. When you checkin with the airlines, tell them you forgot your ID, and they'll print you up a special boarding pass that has the letters "SSSS" marked on it - which means that you'll get searched a bit more carefully (i.e. they'll swab stuff in your carry-on bag to check for bombs).
If your main goal is to bypass the no-fly list, and not to sneak something onto the plane, then this should be more than enough for you.
Plus, in some airports, they rush SSSS passengers to the front of the security line, so you can actually get through security faster without ID than with.
Defenses against this, and other attacks have been created and deployed through two firefox extensions put out by Stanford University: Safe History and Safe Cache
So someone precomputes the hashes for every single email address at yahoo/hotmail/gmail.. or for a single company that you're trying to find info about.
Just as you don't want to give someone your/etc/passwd file, in case they run a brute force search, wouldn't you not want to reveal the email address of all your friends?
"and Linux, which requires far less hardware than the other NOSes and could probably be ported to solar-powered calculators,"
I keep asking myself, when these people do benchmarks, why do they use quad cpu boxen when they know linux doesn't work so hot with em?
Why not assign each OS a set number of dollars, and spend it the best way for the OS. NT can get a quad 500mhz pentium 3 box, and linux can get a cluster of PII 450 boxes....
Slashdot Mirror
> I'll check his blog, which didn't exist (afaik) until after the TSA started messing with him.
:)
This is not correct.
My blog existed for a year before the TSA affair.
It's just that very few people read it
Check the site, http://paranoia.blogspot.com/ and you'll see that it goes back quite a bit. Hundreds of posts before the FBI came to my house.
The "possible solution" you posted on your blog is the very same technology that we developed this phishing MiTM attack against.
The technology is called Passmark. It's made by RSA, and licensed to a lots and lots of financial firms. This is primarily due to the fact that it is far cheaper to roll out than a real SecureID token. Although, to be fair, SecureID tokens can be man in the middle'd too. However, a SiteKey/Passmark MiTM is far worse, as the attacker can login to your bank account later - instead of only having one time access with the SecureID. In any case....
Your blog post merely explains how one signs up for Passmark/Sitekey. It is not a solution to the problem, but is the very security system that we bypass with our project.
Please read the blogpost (the very subject of this slashdot thread), and watch the video. You will see striking similarities between the Bank of America authentication scheme and the one you post about.
Cheers
Chris
Have you tried to?
It's really simple. When you checkin with the airlines, tell them you forgot your ID, and they'll print you up a special boarding pass that has the letters "SSSS" marked on it - which means that you'll get searched a bit more carefully (i.e. they'll swab stuff in your carry-on bag to check for bombs).
If your main goal is to bypass the no-fly list, and not to sneak something onto the plane, then this should be more than enough for you.
Plus, in some airports, they rush SSSS passengers to the front of the security line, so you can actually get through security faster without ID than with.
Yes, I have, 4 times. So has Jim Harper from the CATO Institute.
It's easy, and the US appeals court has recognized this right.
See: this story
Move on folks, there's nothing to see here.
This was done last year, by these guys: Browser Recon @ Indiana University
Defenses against this, and other attacks have been created and deployed through two firefox extensions
put out by Stanford University: Safe History and Safe Cache
This stuff ain't new.
Hmm.
/etc/passwd file, in case they run a brute force search, wouldn't you not want to reveal the email address of all your friends?
So someone precomputes the hashes for every single
email address at yahoo/hotmail/gmail.. or for
a single company that you're trying to find info
about.
Just as you don't want to give someone your
"and Linux, which requires far less hardware than the other NOSes and could probably be ported to
solar-powered calculators,"
I keep asking myself, when these people
do benchmarks, why do they use quad cpu
boxen when they know linux doesn't work
so hot with em?
Why not assign each OS a set number of dollars,
and spend it the best way for the OS.
NT can get a quad 500mhz pentium 3 box,
and linux can get a cluster of PII 450 boxes....