- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
Um, you are quite right.
Not long ago, a nameless company on your list took all sorts of security precautions to protect data, then put it on a tape, unencrypted, and handed it to some minimum wage messenger, who proceeded to misplace it. Oops :(
Admin
No, session-based web systems will usually hand the client a session ID (I use a combination of the username, user IP address, and current time), then store a copy in the local database. You can't generate a valid token out of thin air because you can't get the database to store it, you can't move a token from one computer to another because the IP address of the original computer is stored in the database, and you can't re-use a token at a later date because the time the token was generated is stored in the database.
Admin
Have you ever heard of proxies????
Admin
The real WTF is that they used VB.NET.
No, wait... scratch that.
The real WTF is that they used VBScript and old-school ASP. o.O
Admin
Admin
Admin
Any given fortune 50 company has myriad extranets in production, sometimes at duplicate or even cross-purposes.
Admin
Nah, State Farm's WAY too advanced for that. Browsing my cookies, I can see that they use W0082393.userID
Admin
In VBScript, Or doesn't short-circuit.
Admin
This man is correct. "Security through obscurity" means that your method of security is only secure if nobody knows how you are doing it. In this case it's hardly even obscure, since the cookie freakin says "userId" right on it.
Admin
Well, I for one can understand what's so secret about that code. I too would by every mean try not to let anybody have a look at it. I'd be ashamed to...
BTW, how did Nate manage not to laugh out loud, right there, on the spot? I don't think I could.
Admin
And *Ding!* *Ding* *Ding* *Ding* Omg, my bullshit-o-meter just exploded! That really has to be great job :D
Admin
<FONT face=Tahoma>Wow, that's 58 words in a sentence and I still haven't got a single clue on what it means, it must really be from one of the Fortune 50s...
</FONT>
<FONT face=Tahoma>And the next day Nate was reported missing...
</FONT>
Admin
<FONT face=Tahoma>I prefer to just base it on the length of the string in determining if it's empty or not, if it's zero then there's no way it won't be an empty string ("")...
</FONT>
Admin
A la Shania Twain. . . "I'm outta here"
Admin
it's still more secure than the WTF a while back that had loggedin=true in the url query string
Admin
I am going with this thoery, there is NO -ing way that so much hype could be put over something as gimpy as this.
Admin
He's assuming Nate didn't test his own code well enough. Maybe it's Alex's embellishment, but it comes off that our intrepid contractor became fixated on the security black box that he had no control over to early in the debugging process.
Debugging is about balancing likelihood and effort. You test a component that is 1% likely to be the cause of a bug, but only takes 1 minute to check before you test a component that is 99% likely to be the cause but takes 6 hours to check. In the example, the black box was highly probable, but once it became clear that getting access to it was going to require a lot of effort from multiple people, and require his contacts in the company to stick their necks out for him, he should have made damn sure the bug had something to do with that black box.
Admin
Except that never happened, at least not in Manila.
Admin
If it's feasible, it will happen. Car jacking didn't become a problem until automakers abandoned the master keys. Now your car is less likely overall to be stolen, but it's more likely you'll have gun stuck in your face in the process of it. I'm not sure that's progress.
It boggles my mind why anyone would protect something valuable with something even more valuable. You wouldn't spend $60k on a security system for a $20k car, why would you protect a $5k credit limit with your thumb? or an eye? Biometrics is about convenience, not security. The people putting this stuff together should ask MS about how well that tends to work out. :)
Admin
Unless he (Simon Phoenix) rips someones hand off, let's hope he doesn't figure that one out. ~ John Spartan
Excellent movie!!!
Admin
Not all security is based on obscurity, but session id is.
Thank you for making my point half way, this is a great tactic to keep session id's just one key, but again your tactic is still just a very obscure implementation of obscurity (2 keys instead of 1).
For a real example of good security that doesn't rely on obscurity, you have to think back to the early telnet servers. When they were given in invalid password the first time, they waited 1 second to tell you. When they were given another bad password, they would wait like 5 seconds. A third bad password would cause a 20 second delay. A 4th disconnected you, often with a timed ban (say a minute). This was an ingenius way to increase security, without simply increasing obscurity (bigger keys, like your 512 bit example, which IS true).
A lot of security tries to just make things more complicated, which is what most of your arguements have been. Some security just needs to make things more difficult to access when being accessed inappropriately. This is one of the features of Vista, and all the "Are you really sure you want to do this" dialogs.
The trick is keeping the difficult access away from things that are being accessed appropriately, and having the heuristics to differentiate between appropriate and inappropriate.
Admin
Ok first, the IP that you are using is coming from an HTTP request, not form the packet level, so spoofing that is a joke. But even if you were getting it from layer 3, again spoofing that is not hard. second, the idea is not to create phoney sessions, it's to hijack existing sessions that ahve already been authenticated. This kills both yoru DB based/created adn timestamp arguements.
Also, storing yoru session info in a DB immediately makes session info available to all SQL injection attacks, and i really doubt most programmers on the script side, have appropriately set up security on the DB tables themselves to have them blocked off. (meaning, a special account shoudl be used to access the session data table, and other accounts to access the DB based on user requests, thus limiting SQL injection access)
Admin
<font face="Verdana" size="2">yo, my apologies for not looking into this more, but is this a true story? wtf is right, heh.</font>
Admin
The real WTF here is that no-one has made the obvious fixes that would make it 100% extra uber secure:
Problem solved.
*Sits down to enjoy a nice relaxing mug of ale*
Admin
Drdamour is right in saying that an existing session can be hijacked. If you know that Mr. Smit the CFO has logged in from his PC at around 10:30, it should be possible test all combinations, one with timestamp 10:25:00, one with timestamp 10:25:01, etc. The solution is simple: add some randomly generated number to the session ID.
I don't see why storing the session information in a database would be problem. You should prevent unauthorized access to the database but you have to do that anyway.
Admin
Well kind og off topic, but i do recall that the Pyramids were in fact not build by slaves but by hired workers (as the whole of the egyptian population had almost nothing to do the three months each year when the Nile valley was flodded. The egyptians used slaves for mining operations in the eastern desert, but that is another story.
Yours yazeran
Plan: To go to Mars one day with a hammer
Admin
That is not the standard definition of security through obscurity. You are saying that anything is security through obscurity if there is some hidden information. The standard definition is if the algorithm is hidden - because then you have no way of testing how secure the algorithm is. Almost any security/cryptography system requires a key to be kept secret to function, that is the whole point. A good system only requires the key to be secret to be secure.
Admin
To be fair, Carnildo said he "used a combination of" that data, and if the method of combining includes a random nonce and a hash, there's no way on earth you're going to guess it. This also mitigates any attempt to inject SQL, if it's a non-user-controllable hash of the id.
Admin
Erm, wouldn't that more correctly be:
Admin
That's a fact. Reading this, I'm guessing Nate was doing something for some "shadow IT" group.
Admin
Admin
If Len(Trim(userID)) Then
...is even more optimised, since it avoids string concatination with what's already a variant string. Traditionally Len checks are faster than string comparison. From a quick test I found almost twice as efficient when checking for empty string, over 5 million comparisons. Equivalent number of characters too.
quack!
Admin
My iPaq still does this, except that it keeps incrementing the time even if you get the right password. It's a great way to keep my 10 year old from guessing my 4 digit password. It's "secure enough", and that's what counts.
The trick is to determine, for each situation, what "secure enough" means.
The *real* WTF is the CAPTCHA: wtf
... har ...
Admin
I think we just stumbled upon the REAL wtf. VBScript evaluates all operations even if the boolean logic has been satisfied.
x = "test" if isnumeric(x) and abs(x) = x then msgbox "Truth" else msgbox "Falsehood" end if
VBScripts evaluates both sides of the 'and' even though isnumeric() returns false. The result of this statement is an error for calling abs() on a string.
To implement this logic you would need: x = "test" if isnumeric(x) then if abs(x) = x then msgbox "Truth" else msgbox "Falsehood" end if else msgbox "Falsehood" end if
Now THAT is a WTF.
Admin
AFAIK this is the normal behaviour of Visual Basic, it's only natural for VBScript to do the same.
Admin
Well, string & "" is a no-op anyway (unless string was a real null or something other than an empty string, and you want the operation to do an implicit conversion). Why would you concatenate an empty string to a string?
Admin
No, a number of people have tried to argue a couterpoint to mine. In fact i have done serious reading on this subject. I have degrees in computer science and computer engineering. Just because you agree with their points, and they agree with each others doesn't make it the correct point.
More importantly, i was throwing out a hypothesis, and when people made their arguement i made counter arguements to support mine.
I will agree that the common definition of security through obscurity is what you guys have been refering to, and was very well stated:
I was simply stating that given the definition of obscurity http://dictionary.reference.com/search?q=obscurity, maybe it should be thought of a little broder. There are other forms of security that absolutely cannot be confused with obscurity.
But thanks for completely missing my point
Admin
I get it now. If my userID consists of spaces only I can't log in. What an oversight.
Admin
Admin
I know vb.net provides "AndAlso" and "OrElse" operators that will do the optimized boolean comparisons. Not positive, but I think that earlier versions of VB provide those operators as well. That said, I don't understand why VB gives the programmer the option to use "And" vs. "AndAlso". Can anyone think of a reason where evaluting all expressions, even after the boolean logic has been satisifed, is desired behavior?
Admin
maybe:
IF X AND Y
where Y is a function that does some work and returns a boolean. And the work in done in Y needs to happen regardless of the value of X. Although that would be pretty WTF all by itself.
Admin
Definitions are nice. They let people talk about the same thing and know that each other is talking about the same thing.
"Security through obscurity" is a fairly well defined concept. If you would like to define a new phrase for the conecpt of security that requires *anything* to be secret, such as "security through secret keys", maybe that would let us have actual conversations about concepts and not definitions.
However, you haven't given us an example of this. While your telnet example may be more secure, at the root it still requires secret data, namely a password. I can imagine scenarios where the delaying tactic could be subverted, such as through a distributed attack.
Admin
mmm if this was only a snippit of the SecurityInclude.asp i wouldn't even judge it as a WTF.
It's just common sense to first check if there even is a userid to do stuff with.
but it's pretty non-enterprise to not atleast have this encapsulated in a dozen objects.
Then you can make it look impressive like
$site_config = new site_config($_SESSION,$_REQUEST);
$security = new Security();
if ($security->user_loggedin()) {
//bla
}
where user_loggedin offcourse only contains
if (is_array($_SESSION['user'])) {
return true;
}
return false;
:P
but heck it's good enough for the things i make.
And i could argue that reading from session is secure, but i believe that's already been done.
Admin
"It was a fairly small project and a great foot in the door. Today an interactive brochure website..."
So I think the vault is probably still safe. Hacking an interactive brochure is unlikely to
bring down the company. More likely, newbies are allowed to work on this stuff while
the people who actually know something work on the critical apps.
Admin
Well, sometimes. The most critical apps, the ones that handle money, are controlled by the few corporate people who know the value of a dollar (sorry for the Americanism). Therefore they'll tend to be lean and to have stood the test of time. This type of app is not likely to cause security issues; it is more likely to be secure from the ones who are supposed to use it.
Corporations take financial systems for granted, but what they think are critical apps are the status symbols: corporate portals, CRM, and the like. Those projects attract the "suits", and they fill up with all sorts of techies who can use business buzzwords and fast-talking consultants - the depth of WTFedness they achieve is beyond anything written up here (although the stories are longer). I've worked at two of the companies on that list of 6 above, not to mention another dozen or so in the top 50, and I can tell you that this type of project is, in fact, the norm.
Admin
Exactly. The calculation is easy: complexity = min(complexity_of_attacks_I_know_about, complexity_of_attacks_I_dont_know_about)
Now all you need is the value of the second parameter...
Admin
that is not what i said, and i'd appreciate it if you did not put words in my mouth.
this was simply a retort to the statement that "i needed to study-up" on the concepts. at no point did i say that my credentials made my case any more valid.
Admin
You are correct, i did NOT give you a good example of this.
Take the same system, but instead of there being a password for access, instead there was simply a command called "off". "off" is completely secure, noone should be able to invoke it. Every time someone does, "off" will warn you and make you timeout for (n)*5 seconds, where n is the number of times you've invoked the "off" command. now no password, but there is security.
sure it's a crappier example, but it does prove that punishment and passkeys are seperate concepts of security. We see this every day in banks. Yes you should have an account and passphrase or key to transfer out money of a bank's lockbox, but you can brute force your way in (maybe with a gun & crowbar) and get the money. What is the security for that? mostly the deterent of the punishment of getting caught, or the possibility of being injured in the attempt. the punishment, a form of security that certainly is not obscure.
Admin
Not really an optimisation, as you will ALWAYS execute Trim regardless of whether there's data there or not. The first one will detect an empty string and stop without even executing the Trim statement.