• Cheong (unregistered) in reply to Kuba

    [quote user="Kuba]Umm, what kind of lame network switch do you use that cannot prevent all that? A rather cheap $300 managed switch, like HP2626 off eBay, will take care of all that for you.[/quote]A switch can't block traffic that don't go through it.

    If someone intentionally buy a cheap router with DHCP server, of course he'll also bring in cheap hubs that has no security at all (hub that broadcast any packet it receive on all ports it have, without even both to check the receiptant's IP/MAC address.

    [company network] - [switch] - [hub] - [cheap router] | |----- [client PC]

  • Cheong (unregistered) in reply to Cheong

    Emmm... seems the comment box is eating leading space. The "client PC" at above chart should be connected to the "hub".

  • (cs)

    So the real WTf here is that Gerald wasted all this time "inventing" OpenID?

  • Bry (unregistered) in reply to Marcus Brito

    Any proxy or filter worth its shit will serve X-Forwarded-For. Read off that along with certs.

    XFF can be trusted if you define the external IP

  • dr memals (unregistered)

    just implimented SSO via ADFS for microsoft. ADFS is supported across multiple architectures outside of M$ including sun and IBM

  • Spudd86 (unregistered) in reply to PITA
    My laptop has a fingerprint scanner - can't I use that to log on to the system? No, someone may chop your fingers off and steal your password!

    Fingerprint scanners are easy to spoof (go watch Mythbusters, all you need is the fingerprint, a good flatbed scanner and a laser printer). Also they are not the most reliable devices (if you never have to swipe more than once there's a good chance someone else' finger will work)

  • Spudd86 (unregistered) in reply to Sean
    Most of these comments are idiotic. So what if this implementation was for one user. At least now SSO is a feature of the product and someone paid you do add it to the product.

    Remember,everything a customer asks for enhances the product. Developer's job is to solve problems for clients, and if a client pays for a feature before its in the product...well then they just paid you to developer that feature, instead of you spending your own money.


    Except the feature is stupid, broken and probably shouldn't have passed the certification mentioned, and someone ever does catch the possible problems with it...

  • Spudd86 (unregistered) in reply to Tod
    How did this pass HIPAA review? It doesn't prevent unauthorized access to patient records since it only checks the computer (hardware) not the user. Computers aren't authorized, people by virtue of their positions and jobs are.


  • Spudd86 (unregistered) in reply to davedavenotdavemaybedave
    Your IP here:

    And at that point, its not exactly "spoofing" is it? If you've subjugated a major router on an autonomous system, it IS your IP address now. (Indeed, its your whole CIDR subnet.)

    Well, yes, if you do it at the WAN level. But remember from the article, they're also worried about 'malicious employees'. If somebody with access the the LAN wants to get access, it's easy, particularly if the 'authorized' computer is down. Just statically assign the 'authorized' IP and connect. Or if anything tricky is being done with the DHCP server, just spoof the 'authorized' MAC or hostname, whatever the DHCP & co. are using for assignment. And so on...

    Depending on the network, you also don't necessarily have to get into ISP systems for MITM. Local gateways will do fine.

    A lot of Windows-based systems are secured so users can't assign their own IP. There's a lovely WTF all of its own here, though: if you plug a DHCP router into a port on a network, almost all normal Windows Server DHCP configurations will automatically hand control over to that router. Hey presto, IP control.

    Until someone brings a machine from home... (and don't mention MAC address based dhcp, MAC addresses can be spoofed)

  • Spudd86 (unregistered) in reply to Anonymous
    What about a USB authentication card or something? They make those right? USB drive has a certificate on it, and when they need to "login" they stick the USB drive in the slot and the program reads the data and off they go. Doesn't tie the person in to a single computer or IP either.

    This seems to be a web app, you don't get to talk to USB dongles from a web app

  • Spudd86 (unregistered) in reply to Casey
    Whats funny, is that some old main frame security schemes are based solely on terminal ID.

    So they were doing it wrong, how is the fact that mistakes tend to be repeated relevant?

  • Spudd86 (unregistered) in reply to Ren
    I don't really see the WTF here. The client got what they wanted, the company got loads of billed hours AND a new fancy feature to sell and best of all, the one user doesn't have to remember another password now!

    I'll admit I facepalmed when reading the final sentence, but if the client wants to pay and is happy at the result, WHY NOT!?

    The WTF is that this got to production, it's not secure (not even remotely)

  • Spudd86 (unregistered) in reply to Neal
    My lesson is that this programmer needed to ask way more questions.

    Both RSA and a dozen other companies have 'Secure USB Tokens' available.

    http://www.swekey.com/ http://www.rohos.com/welcome-screen/usbflash.htm

    If you know before hand that the system is NOT open ended w.r.t. the number of users, then hardware solutions become quite viable.

    Any enterprise system that is sold on the basis of number of seats (the common unit charge in SAAS apps) by definition does NOT have an open ended number of users.

    It's a web app... you don't get to talk to a USB dongle...

  • ex-vb6-dev (unregistered) in reply to Steve the Cynic
    Steve the Cynic:
    Passing comment: Gerald was asked to implement a solution that had already been decided, rather than to select a solution for a problem. OK, this happens sometimes. It appears, though, that the solution had been selected by the salesdoofus or the client, more likely both together, based on technical ignorance. This, too, happens sometimes.

    Gerald then raised the level of WTF by applying his own ignorance (to be charitable, perhaps we could call it "gaps in his knowledge", but I'm not in a charitable mood today) and setting the tone by beginning with "It's impossible". No, it's not impossible. It's software, of course it's possible. (I'm being deadly serious here. Code is the most flexible and adaptable construction material known to man.)

    As the very first poster pointed out, client certificates are the correct solution to this problem. As it stands, in two years' time, nobody at the client will remember how the authentication works, and will turn off the local token server, or renumber the network, or give the recalcitrant idiot user a new machine so its DHCP-granted IP address changes. Then the RIU will not be able to connect, and that's the end of that.

    Like they would remember that there was a client certificate....

  • ex-vb6-dev (unregistered) in reply to Quirkafleeg
    They didn't like the idea of relying on headers, becuase headers can be faked. But they're cool with relying on cookies?!
    A strong # applied to well-chosen text would help, along with an encrypted connection.
    How is a pound supposed to help you?
    Hint: # ≠ pound…

    Through Brittish goggles it is. I'm sure poor illtiz's browser uses the wrong encoding.

  • LIndy mo (unregistered)

    Oh wow, seems pretty reasonable to me dude.

    Lou www.anon-vpn.net.tc

  • sena (unregistered) in reply to Spudd86
    This seems to be a web app, you don't get to talk to USB dongles from a web app

    Actually, you can have a smart card dongle and easily use a middleware to access it throught PKCS#11. Firefox supports it straight out of the box. IE, for instance, requires an additional software but still works.

    It's equivalent to a client-side certificate, but more secure (multi-factor authentication).

    Anyway, besides the obvious client-side certificate solution, they just ended up implementing a simple (and much less secure) version of Kerberos...

  • (cs)

    Due to our trustful and professional services, new genlemen & beauties are joining all the time and many are making connections every day. It takes only a few minutes to submit a profile which, however, might change your whole life. and still will bring you more fun!!

    ____ S e e k I n t e r r a c i a l [DOT] c o m ___

    With almost 2 million profiles, ____ S e e k I n t e r r a c i a l [DOT] c o m ___, the Interracial dating site, is the best source of dating profiles for Interracial Singles.

  • Former Ad guy (unregistered)

    Had a similar incident where an art director over sold a "Flash" interface for a login screen that had a beautiful rendering of a vault and you had to spin the tumblers for access.

    I had to point out that this was the backend login screen.

  • (cs)

    Client certs is the obvious solution.

    My speculation is that this is a prime example of YAGNI in action. At some point in the future (which never arrives), the client expected more users. Barring clairvoyance, the money would have been better spent elsewhere until (and if) that future arrives.

  • Andrew (unregistered)

    This doesn't seem all that secure to me. Don't I just have to unplug the user's computer from the network, and then set my computer to their IP address?

  • pupsikaso (unregistered)

    I'm sorry, but if someone says they can't remember their logins then the IT is responsible for changing their login and sending an email with the new login to them. If this becomes a habit, the person needs to be either trained to help them remember their login, or disciplined otherwise.

    But if they REFUSE to remember their logins to systems, they need to be shown to the front door.

Leave a comment on “The Single Sign On”

Log In or post as a guest

Replying to comment #:

« Return to Article