[Beowulf] Re: "hobbyists"es

Perry E. Metzger perry at piermont.com
Sat Jun 21 17:21:47 PDT 2008


"Robert G. Brown" <rgb at phy.duke.edu> writes:
>> If they can't use public key auth, give 'em secure ids or something
>> similar. Works fine or such purposes. Passwords are dead.
>
> Yeah, Bill Gates (among others) said something like that back in 2004.
> I confess to being deeply skeptical.  Really.  The SecureID solution has
> been around for a long time at this point.  It was a PITA a decade ago.
> It is a PITA now.  Expensive, too.

It is neither. I use SecureIDs quite regularly and it isn't difficult
at all -- you just look at the device and type in the digits. What's
so hard about that? It isn't that expensive, either, but if you're
minimizing cost there are cheaper competitors and various
challenge-response devices, and even non-hardware solutions.

> And then, people have to authenticate to so MANY things nowadays.  I
> have to authenticate to my cell phone. To order pizza.  To do
> banking online.  To shop at X, Y or Z.

That's why they created client certs. Unfortunately few people use
them. MIT does some good things with them, though.

> Then there is logging onto systems I work on -- something that IS
> possible for me without a password.  The problem there is that many of
> the systems I'm logging in from are laptops (I have two personally,
> about to make that three).  The laptops themselves then become a
> security risk if they are stolen,

That's why they invented encrypted partitions, and why ssh lets you
encrypt your public key credentials.

I haven't used password based credentials with any services in about
ten years. I deal with a lot of machines, and I don't find the lack of
passwords inconvenient. Between SecureID, public key credentials,
kerberos, etc., there is really not much cause to use passwords over a
network any more.

>> Not really, no. Tokens are cheap for remote access.
>
> I'll have to revisit this.  I do know that people use them.  There is
> one in the house for a particular site.  My impression was a minimal
> cost of $10's of dollars per user on up, per site you want to access
> this way, plus a whack for the server side stuff.  Is this reduced?  Or
> is this what you call "cheap"?

$10-$50 a user is cheap compared to the salaries of even university
sysadmins multiplied over all the hours of trouble that breakins
cause. As I said, there are competitors that are cheaper -- if you
really need a $5 solution, they exist. If you think you're spending
less than $5 a user on related security problems over the amortization
life of a device, you're kidding yourself in any real organization. Of
course, if you are still over budget, one can also use mechanisms like
Kerberos, and in a university environment that's quite achievable, and
has no associated hardware costs at all.

>>> IMO, we are quite possibly moving towards a "healthy world" on the
>>> internet.  The problem we face is understandable, the linux solution is
>>> remarkably robust (and could be and is being made even more so).
>>
>> I have my doubts. The problem appears to be getting much worse with
>> time from where I stand. I probably see more horror on a regular basis
>> than you do, though.
>
> It sounds like it;-)
>
> I hope you don't mind my debating with you and disagreeing on some of
> the things you say, by the way.

I'm hard to rattle on this sort of thing. :)

> I'm not trying to flame or fight a war to prove I'm right, I'm
> picking your brains (in part, by seeing how you refute some of the
> things I say, in part by just listening to them).

You'll pardon me for not replying in greater detail -- you've written
quite a lot and I haven't answered all of it. I'm on vacation this
weekend and I'm attempting not to read overly much email -- my spouse
would get mad if I spent more time on it.

> You actually sound like precisely the kind of wild-eyed paranoid that
> can be extremely valuable to any organization that is concerned about
> enterprise level security.  It sounds like you have a security
> consulting business.  Is that what you do?

It is how I pay for things like my HPC habit, yes.

> The one thing I haven't heard you address is the cost-benefit
> associated with any particular set of security measures, especially
> on a broad basis.

Well, all security is about economics. There are certainly measures
that are appropriate at a bank and utterly inappropriate at a
university, both for reasons of the willingness of the user community
to put up with various kinds of inconvenience and because of raw
cost. This sort of thing becomes a very, very long discussion, though,
and again, I'm on vacation. :)

> Now, two days of my time -- or even a week -- cost Duke a truly pitiful
> amount (I'm embarrassed to say:-).

I doubt even you are paid less than minimum wage, though, and you
should keep in mind any hour you spend away from your real job costs
the University the labor you were doing on your actual work as well.

>>> I think that our problem is that I have been prepending the word
>>> LINUX mentally to our discussions.  LINUX networks are not so
>>> commonly set up by people who know nothing.
>
>> Ubuntu is rapidly helping with that.  :) 
>
> I actually don't agree that linux would prove anywhere nearly as
> vulnerable as Windows has been historically even if they switched market
> share tomorrow,

I tend to agree that Unix has a much better overall architecture, but
the big problem right now is the professionalism of the
attackers. People are making a lot of money attacking Windows because
it is the majority platform, and they tend to concentrate their
efforts there. Linux would receive quite a bit more unwanted attention
from such folks if it was profitable for them, and the quality of the
codebase is quite variable. There *are* holes.

> and Ubuntu was the only version of linux used.  After all, as YOU
> pointed out, MS left Explorer unpatched for 9 months.  NINE MONTHS!
> Say what?
>
> Find a similar exploit in (say) Firefox.

There have been a number. I'd go and look at the CVE database. That
said, fewer of them have gone unpatched for quite so long -- the
pressure there from the community tends to be higher for whatever
reason.

> Virtualization is going to change everything, by the way.

There are whole sessions at security conferences on ways to break out
of VMs. Some of the techniques are quite amazing. I'd look at recent
conference proceedings. I'm not claiming that VMs aren't a good
thing -- they are. They're just not foolproof.

> It's really, really hard to crack a site invisibly when every IP number
> that talks to it or that it talks to is isolated in real time and
> compared to a list you set up and control and sets off all sorts of
> alarms if any sort of anomalous or unapproved pattern occurs.

There are some really, really clever exploits out there. If you want
to terrify yourself, start reading up on ethernet card firmware
exploits. You can do astonishing things once you own the ethernet card
on a modern machine -- you have a real processor with DMA access to
the whole of main memory at your disposal. If you want to get even
worse, here is the paper from a month ago about designing exploits in
to microprocessors directly...

Perry
-- 
Perry E. Metzger		perry at piermont.com



More information about the Beowulf mailing list