Fred Avolio's Musings

iChat Status

musings on security and other topics topics archives
October
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
most recent headlines other links, other blogs  

:: home ::
Mon, 30 Oct 2006
Shocking News! You can print fake boarding passes on your printer!

I am being sarcastic, you know? Only the computer illiterate will be surprised that the boarding passes you print out on your home printer can be faked. I don't expect members of Congress to be computer or technology experts, but even if their eyes and brains don't tell them this, don't any of them have smart, computer-savvy aids with a clue?

One of many news items about this is at www.wired.com/news/technology/0,72023-0.html.

In a more recent post, Rep. Edward Markey (D-MA) repented of calling for Soghoian's arrest, but still sugested bad judgement. Dr. Avi Rubin also weighed in, "Even if he has a legitimate point, it shows a real lapse in judgement"

I suppose. Still, what's the difference between what I print out on my printer when I "check in," to a flight using an airline's web site and Soghoian's? Right, one is real. But, still... how does the TSA agent know that?

Right. He or she doesn't.

Comment on this.
[/security/] permanent link

Another Security Expert Heard From

"I think we're all Bozos on this bus."—Firesign Theater

This Infoworld column illustrates something I've talked about before, but have never given a name. I'll start calling it the "Everyone is a security expert" syndrome. I've alluded to it in the following blog entries:

In the above-cited column, Roger A. Grimes, makes the declaration, "Security by obscurity: It works!" and states:

Almost every computer security "expert" alive repeats the mantra that security by obscurity is no security at all, despite overwhelming evidence to the contrary. I propose that it should be a valid part of any computer defense plan, and in fact, can be one of your best defenses.

Before writing angry hate mail to your new security columnist, let me explain further. First, I did't say security by obscurity was the only defense technique someone should use. I didn't even say it was real security, but I am saying that it should be an important part of most computer defense strategies.

I read that and shook my head in dismay. Not because he is wrong. But, because he thinks this is a new idea. Except that none—no not one—of the computer and network security experts I know would or have ever said that. It is an often misstated security axiom (I list as a "bogon" in my list of security axioms), that is more correctly stated, that depending or relying soley on obscurity for security is misguided and gives a sense of security that is false. I say this in a February 2001 Letter to the Editor of Information Security Magazine, wherein I say in part

...surely there is nothing wrong with security through obscurity. Keeping secret keys secret is an excellent example of this, and we count on it for much of the crypto-based security on the Internet. What many security professionals rail against is depending completely, totally and only on security through obscurity, and doing so forever.

And in a 2001 column I wrote for WatchGuard Technologies, I wrote, "Though 'security through obscurity' is unwise as a sole defense, there is absolutely nothing wrong with making it harder for an attacker to attack."

Even in early 1994, in an early firewall paper with Marcus Ranum,\ A Network Perimeter With Secure External Access, we wrote, "Security through obscurity is counter-productive. Easy-to-understand measures are more likely to be sound, and are easier to administer."

And Bruce Schneier, in his May 15, 2002 Crypto-Gram Newsletter, writes about "Secrecy, Security, and Obscurity."

So, Mr. Grimes, welcome aboard, and thanks for helping the security community to get this important message out. But, I am concerned. Your by-line would lead one to believe that you are the new "Security Advisor" columnist. How come you are just getting this?

Fred Wamsley www.berylliumsphere.com, wrote:
I would have said that "security through obscurity" is a phrase that clouds good thinking about secrets.

Why doesn't the mass-market security literature explain the difference between a defensible secret like the symmetric encryption key generated for every message, and an indefensible secret like how the Enigma machine works?

It's not a complicated analysis either. Just ask how many people know the "secret", how long the secret stays useful, and whether you can contain the damage if the secret gets out.

... For an example of an indefensible secret, consider Social Security numbers.

Roger Grimes replied:
You're dogging my security by obscurity works rant InfoWorld column wondering why it took me so long to think of it??

I've been in the field of computer security for 20 years. Its not a new idea to me. Just because I put it in a column now and then, doesnt mean its new to me. It's just the topic of the day, something that came into my mind.

And contrary to what you imply, 99% of security experts constantly repeat over and over to students that security by obscurity doesnt work. I had dozens of security experts write me and tell how wrong I am. So, it doesnt hurt to remind the masses, from time to time, that it actually does have value.

Roger

Roger A. Grimes, Eastern Data Inc., Director of IT Security
CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH

This is then an example of one of my Top SIX Reasons Why I Hate Network- and Computer-Security, that being We talk about and rehash the same old stuff.
I received e-mail from colleague Scott Pinxon, who wrote
I'm confused. Why are you upset that you have to tell people the same concepts over and over? Is there some other industry where the lead practitioners said something once, everyone got it, and they all moved on? Besides, you were an early adopter, Fred. Just because some of us are slower than you, does that mean we don't "deserve" to hear smart security concepts? Network security has an endless, oncoming wave of newbies. It's too soon to tire of preaching wise axioms!

I am not sure where I've miscommunicated. Yes, we need to be aware of history. Here's my reply:

Remembering History is essential, as I mention here (which was referenced in this blog). ... we keep presenting the same old stuff as if it is new stuff and we never seem to learn from it. We forget history and, so have to relearn it (as George Santayana warned in his famous quote about forgetting the past and having to relive it).

Comment on this.
[/security/] permanent link

Thu, 12 Oct 2006
Tweak to my Spam Barrier

I—like a lot of you—was getting lots of "buy this hot stock" spam. The latest change I made to my Postfix installation is to add a check against the Spamhaus Bloclk List. The addition to main.cf is under smtpd_client_restrictions, which now looks like this:

smtpd_client_restrictions =
check_client_access hash:/etc/postfix/accessi
reject_rbl_client sbl-xbl.spamhaus.org

Previous articles and blogs:

It seems to be working well.

Well, Spamhause has been in the news. This will give you all you need to know in case you've missed it.

Comment on this.
[/e-mail/] permanent link

Mon, 02 Oct 2006
Love, No Longer "Love and Hate"

As of a few weeks ago, I was still having the problem I mentioned in Still Love and Hate Mail. I had found that if I remembered to Go Offline, then Go Online again, all was well. If not, the Mail client and the IMAP server got confused about what my Inbox looked like. Clearly, the mailbox state wasn't being updated until I disconnected.

I religiously read the Apple discussion groups (for example, this thread). And found the solution.

As I posted in the above-mentioned thread

RE: IMAP deleted mail won't stay deleted...
Posted: Sep 12, 2006 9:39 AM

> The following is an example of such a thread, and it
> contains a more extensive discussion of what the
> issue really is and why manually taking the account
> offline/online might work:
>
> http://discussions.apple.com/thread.jspa?threadID=586858

I looked at this before, but I looked at it again and here is what I did. This may be something you can try. I am trying it. So far, so good. You need to change your INBOX to .mbx format. (See http://www.washington.edu/imap/IMAP-FAQs/index.html#4.5 wherein we read,

If you create an mbx-format INBOX, by creating "#driver.mbx/INBOX" (note that "INBOX" must be all uppercase), then subsequent access to INBOX by any c-client based application will use the mbx-format INBOX. Any mail delivered to the traditional format mailbox in the spool directory (e.g. /var/spool/mail/$USER) will automatically be copied into the mbx-format INBOX and the spool directory copy removed.

Okay, cool How to create the INBOX. Conntect to your IMAP server using a telnet client and then issue the commands needed to create it. I saved my Inbox contents first, but this actually should not touch the spoolfile mailbox (On a UNIX system, this is something like /var/mail/fred for me and is in UNIX mailbox format.)

So, in terminal I did this (this is exactly what I typed except I typed in my real incomingmailserver name and my real password):

telnet incomingmailserver 143
a001 login fred mypassword
a001 create #driver.mbx/INBOX
a001 logout

See http://www.ietf.org/rfc/rfc2060.txt for IMAP commands.

Seems to be working fine. (It created INBOX in ~fred on my server, by the way.)

Fred

It is still working exactly as it is supposed to and I am completely happy with Mail.

Comment on this.
[/pc2mac/] permanent link