• bvs23bkv33 (unregistered)

    boss + first?

  • Bzzzt (unregistered) in reply to bvs23bkv33

    Boss+1, +1 damage to subordinates

  • RLB (unregistered)

    I hope you got fired for that.

    I mean, I hope for your sake you got fired for that, because a company where the bosses prioritise number of pawns to play with over productivity and cost savings is not the kind of shop you want to work for.

  • RLB (unregistered)

    I hope you got fired for that.

    I mean, I hope for your sake you got fired for that, because a company where the bosses prioritise number of pawns to play with over productivity and cost savings is not the kind of shop you want to work for.

  • Supersonic Tumbleweed (unregistered)

    B-but saving on those already expensive and on-going worldwide trips should be enough for him to boost his workforce without additional funding.

  • Supersonic Tumbleweed (unregistered)

    But now that I think of it, I overshoot with the travel costs, I guess.

  • Raj (unregistered)

    TRWTF is more war stories with no wtf.

  • CrashMagnet (unregistered)

    I was expecting the TDWTF to be that I was next to impossible to update the certificates on the new certificate server.

    Oh well. Making an enemy of a company director is almost as good.

  • MiserableOldGit (unregistered)

    Much as this all makes sense, once he'd won the point about them using 2FA and not needing to be quite so prissy about how they deploy the certificates, why didn't they just go email encrypted ones and get the helpdesk to relay a one off password over the phone?

    I found out later that I inadvertently pissed off the boss+1 because he was planning on hiring more people for this project and I negated the need for him to expand his empire.

    That's been the secret of my (lack of) success for decades. I've always prided myself on simple and efficient solutions that don't need endless support and maintenance. Might as well have painted a target on my back. I remember saving a firm about quarter of a million (in GBP) in hardware and licensing upgrading their DB infrastructure by rooting out and fixing a shitty SQL query called by their website. I say saving, it didn't save a penny as they went ahead anyway and pretended their upgrades were the magic, correctly realising that no-one in senior management was switched on enough to see all the problems had gone away 3 months before they even got started. Some time later, it turned out they'd screwed up the SQL server licensing (multiplexed) and got stung for another few thousand. I could go on, and on, and on.

  • Peter W. (unregistered)

    After all, it can't get worse than that, right? [...] we should be safe.

    it was deemed safe and loaded up with all the certificates.

    The mountains were in labor and what was born is a ridiculous pissing off of boss[+1].

  • Ross Presser (google)

    /r/Iamsosmart stories are not WTFs.

  • XK (unregistered)

    @RLB: One of the biggest companies in my country used to have the policy of paying managers proportional to the amount of underlings they had. While this sounds like somewhat decent idea to pay more to people with more responsibilities, I think we can all see where this is going.

    Long story short: It is now a very famous example of optimizing for the wrong parameter.

    At least it was probably good for local employment...

  • (nodebb) in reply to Ross Presser

    Well, if he'd posted the design plans for that multimillion$$ system, then there'd for sure be a WTF in the story.

  • Fedaykin (unregistered)

    The correct solution here was to send certificates via certified mail/courier with some confirmation of receipt process. A tiny fraction of the cost of sending someone on a distribution junket every 3 months, and far more secure than a free-for-all certificate server.

    TRWTF here is the described solution here completely negated the 2FA. Might as well have just reverted to user/pass.

  • X (unregistered)

    Yet another snoofle saves the day story. Ran out of submissions have we?

  • ooOOooGa (unregistered)

    When all you see are disasters, then disasters start looking normal.

    CakeWrecks runs a 'Sunday Sweets' story every week to remind people of what professional cakes are supposed to look like. I don't have a problem with a once-a-week article here that shows what good IT practices look like.

  • (nodebb)

    After all, it can't get worse than that, right?

    Since the security people have already blessed this as "Good Enough", we should be safe.

    it was deemed safe and loaded up with all the certificates.

    Mount WTF was in labor, and what had been born was a ridiculous little pissing off of boss+1.

    (sorry for the double post - I wanted to get it posted today, or within the next dozen years (there are still some comments from "2007 held for moderation"))

  • (nodebb) in reply to Fedaykin

    Surely not completely? Even if Mr. Hacker fools the helpdesk into believing he's an employee, that still only gives him a certificate and not a username/password.

  • Andrey (unregistered)

    Why not just mail people encrypted flash drives and email decryption certificates for them?

  • p (unregistered)

    "I said that we could ... allow our users to ... download a self-installing program ... So Mr. Hacker goes to the page and"

    ...inserts malicious code into the self-installing program downloaded and run by all the users. Now he controls every client machine in your company.

  • Fedaykin (unregistered) in reply to emurphy

    The whole point of having 2FA is to ensure that you have 2 factors that provide evidence of someone's identity instead of just one. This is done by putting in place reasonable controls that assure that factors/credentials are only known or possessed by the correct person. That server will be compromised, which they acknowledge with their "worst case scenario", and possibly in a way that goes undetected for a long time. This undermines any possibility of actually trusting that only the right people have the certificates. So they are now completely useless.

    Just because their security policy doesn't require competent handling of credential issuance doesn't mean it's all good. If you need 2FA, and you don't have processes in place to ensure credentials are issued correctly, the only thing your money is buying is a false sense of security.

    My solution (snail mail/courier) is also far from perfect (and would never fly for high security needs), but physical security is a lot easier than digital security. Instead of having to defend against legions of hackers around the globe, all you have to worry about is making sure your physical packages aren't intercepted or tampered with.

  • WTFGuy (unregistered)

    What Fedaykin said. For all practical purposes snoofle's system converted their 2FA into 1FA. Nice torpedo below the waterline. Hope it didn't sink the company.

  • (nodebb)

    An approach that doesn't break 2FA:

    One time pad crypto. Distribute "keys" to the various sites that are really just some type of media full of true (not PRNG) noise.

    The distributed keys are the certificates but encrypted with another copy of that noise, they come with an offset into the batch of noise to be used to decrypt them.

    Properly built one time pads are inherently uncrackable, no security hole there.

  • (nodebb) in reply to Fedaykin

    The correct solution here was to send certificates via certified mail/courier with some confirmation of receipt process.

    But the article says:

    The security team decreed that e/snail-mail was not considered secure enough

    It probably wouldn't have flown.

  • (nodebb) in reply to WTFGuy

    " Since all of our users already had credentials to call the help desk, this was only a minimal additional cost. "

    So you've hacked the machine and you've got the certificate. You still need the username/password combo and you have to call the help desk for that. And that involves "credentials" of some sort independent of the certificate.

  • Ann on a Mouse (unregistered)

    …can anybody explain why they simply couldn't have users get the new certificates over the already-secured network, a few business days in advance? Isn't that basically what a secured network is for?

  • Hasseman (unregistered)

    Instead on complaining we could give suggestions. Of course not all articles are equal good but now and then there are real nuggets. I mean it takes time and effort to create items in any blog. Maybe less frequent stories? I enjoy reading most of them.

  • operagost (unregistered)

    You know, RSA fobs were already a thing in the 1990s.

  • siciac (unregistered) in reply to Loren Pechtel

    An approach that doesn't break 2FA:

    One time pad crypto. Distribute "keys" ...

    The moment you invoke one-time pads as a solution to key distro, you've failed. If you could distribute the pads securely, you could use the same mechanism to distribute whatever it was you were trying to encrypt.

    When you look at schemes that work, like Diffie-Hellman or just something as dumb as hashing a password, what you'll notice is that the secret isn't transmitted. That keys never leave a secure boundary is a core concept of modern crypto, and it's why asymmetric encryption and one-way functions are so important.

    In this case, they're trying to generate a private client cert. That's exactly what the "certificate signing request" process in X509 is for: they generate a private key locally, and use that to create a CSRF (which has an HMAC of the private key, so you can't get the private key from it) to the signing authority, which sends a certificate back that is now useless by anyone who doesn't have the private key.

  • WTFGuy (unregistered) in reply to Watson

    You seem to have missed the point that the Powers That Be demanded 2FA. They had decreed that 1FA simply wasn't good enough. Any 1FA solution proposed was dead on arrival.

    But then by doing their 2FA cert distribution snoofle's way, they end up in just the scenario you describe: with just 1FA fully exposed to social engineering. At least against any kind of decent quality adversary.

    The only thing worse than knowing you have X amount of security is mistakenly believing you actually have some hefty multiple of X security. Snoofle sold them a 1FA system in a shiny 2FA box. Which, if we take the Powers That Be at their word they would not knowingly have approved. Where I work we call that sabotage.

  • tlhonmey (unregistered)

    What you do is you send the couriers on one last trip. You've been trusting them up until now. Send them with either a one-time-pad big enough to use for the next ten years, or to verify fingerprints on a more mundane solution like PGP keys. Either one of which is to be stored offline in a machine that is never to be directly connected to any kind of network, and is stored in the vault except when needed. Then send future updates encrypted via email. Since the physically distributed key is used only rarely and stored securely collecting enough data to crack it or physically absconding with it should be impossible within its lifespan.

    One courier trip in ten years is probably going to end up happening anyway to service other needs, so the effective cost is a few old desktops sitting in the vault except for when they are briefly pulled out and turned on every three months. Cheaper and more secure than the proposed solution.

  • tlhonmey (unregistered) in reply to siciac

    "The moment you invoke one-time pads as a solution to key distro, you've failed. "

    Incorrect. They already had a secure distribution method, it was just too expensive per round trip. But that expense would not be increased by increasing the data size to any conceivably necessary amount. So instead of invoking the expensive, secure channel for every transmission of new keys, you burn a 4GB OTP to a DVD and send that. You may now generate and send up to 4GB of certificates at arbitrary points in the future with the same level of security as the ultra-secure trusted courier system, but without the expense of a trip each time. If the certs are a whopping 1MB each, replacing them every 3 months, 4GB worth of pad will see you through about the next 100 years. Expense eliminated, security maintained. Some future CEO sometime in the next century can worry about how to send out the next set of pads now that they no longer maintain their courier service.

    Note that One-time-pads delivered via secure courier are still used for extremely high security communications because the one-time-pad xor encryption is the only method which has been mathematically proven to be uncrackable except by stealing the key.

    But it's just not practical for everyday users to log into ebay using OTPs, so that's why we have less secure, but much cheaper and faster key exchange protocols that work over the wire.

  • (nodebb)

    A one-time-pad being used for 100 years? There could be a lot of employee turnover in 100 years. Would they all have access to the 1-time-pad?

  • markm (unregistered) in reply to tcotco

    How long would it take to generate 4GB of actually random numbers?

    You DO NOT use a pseudo-random number generator, because then your key is only as secure as the PNG. An unstable-by-design electronic circuit can flip states randomly, but it's unstable - as far as I know (I'm a EE, but not expert in this particular area), if left to itself, it drifts until it's outputting mostly ones or mostly zeros. If there's a circuit that automatically re-centers it when the output becomes too far off of 50%, that's a non-random input...

    Or you could do what the Soviets once did and use a mechanical randomizer, like a lotto machine loaded with numbered balls. They would load two sheets of paper, with carbon paper between, into a typewriter. When a ball emerged from the machine, they would type the number and feed the ball back in. Eventually they would have a sheet full of random numbers, with a carbon copy. When they made enough sheets, the two sets were bound into a pair of one-time pads. One pad went by secure courier to a spy or a remote site, the other stayed home. And note that with a good tamper seal on the package, they didn't lose anything but the work to type that pair those duplicate sheets if the courier was robbed, or even if he turned coat - the recipient would notice the broken seal, toss out the compromised pad, and notify the home office to send another one.

    Or that was how it was supposed to work. Waiting for the balls to be re-mixed and the next one to emerge was slow, and rather than limiting the use of one-time pads to the most critical secrets, the Soviet spy apparatus wanted to use the one encryption technique for everything. The supply of one-time pads lagged far behind the orders - until they stuck two more carbons into the typewriter. Now they could make two pairs of pads in the time it used to take to make one pair - but they weren't one-time pads. American codebreakers cracked the code due to that re-use! (The Venona decrypts.)

Leave a comment on “Undermining the Boss”

Log In or post as a guest

Replying to comment #498149:

« Return to Article