I recently ran across an interesting article on how
Passport
security works, and what some of the flaws with it are,
including a construction of an exploit (now fixed). As
noted, while there is now a road-block for that specific
exploit, the underlying problems are still there, and a
motivated observer could readily construct another.
I am not bringing up this article because I think that
Microsoft has done an unduly horrible job in constructing
their Passport service. I am bringing it up because I
think they haven't. Oh don't get me wrong. I am not saying
that Microsoft did a good job of getting it right because
they didn't. I am saying that I wouldn't expect to see
someone else doing a better job.
What is their real mistake? That they have a consistent
pattern of small oversights, which make it easy for a
determined exploiter to find their way forward. They have
cross-site scripting holes. Congratulations, most
people do. They have attempted to filter out known
dangerous constructs rather than forcing known valid
input. Congratulations, even though that is ass-backwards
if you want security, that is the common immediate
response. They have focussed on features over
security. They and (much chest beating notwithstanding)
everyone else.
As has come up in past discussions, this site does little
better. (Visit tye's home page.) It would be a sucker
bet to predict that many of
the people here have worked with corporate code-bases that
do substantially worse things. In fact many still do.
And if you haven't had the displeasure, your turn will
probably come.
So re-read it. Not with an eye towards, "Microsoft sucks!"
but with an eye towards, "Would I know to do better?"
Because as the oft-regurgitated but seldom understood mantra
goes, security is a process. It is a process that we get
wrong, over and over again. People have fundamental
misunderstandings that are guaranteed to lead to problems.
And that means that the process which is security needs
some debugging.
And so I finish by reminding people of the fundamental
point that you should avoid parsing (re-read
again, seeing how that theme applies) and with an
inspirational
story from the Space Shuttle about what debugging a
process can look like. (Before everyone jumps up and
down and says that that cannot be done, stop. It can
be done. It may not be worth going to that extreme all
of the time, but IMNSHO people can and should habitually
do more that way than they do now.)
(ichimunki) Re: Passport Security
by ichimunki (Priest) on Dec 14, 2001 at 21:52 UTC
|
I would offer this footnote: saying "security is a process" is not specific enough. While that aphorism captures the essence that the work is ongoing, it omits any mention of what the process actually involves-- managing risks. Specifically, clarifying risks, identifying vulnerabilities, and taking appropriate action to mitigate threats.
update: I also want to add that any security plan worth having around has the proactive steps I mentioned but doesn't stop until it also includes incident detection, incident response, and backup and recovery planning. | [reply] |
Re: Passport Security
by Albannach (Monsignor) on Dec 14, 2001 at 23:57 UTC
|
I must thank you for that link to the excellent article on the software design process used for the Space Shuttle. In the context of your thread title it reminds me that security isn't really special but should simply be another part of the software specification, a specification that is so well thought-through that one wouldn't need to put special attention on security in an attempt to make sure it worked. The focus on security (or any other feature) almost always fails to some degree, and it seems that it isn't security that is the problem, it is the whole software design process that is the problem.
The shuttle article discusses at length the differences between the software design culture and other more established professions, and this also reminds me of the
ongoing debate in some circles about whether "software engineering" is really engineering, and whether it should be. (We have discussed this here before, here is a good example).
This leads me to your final point that this can be done. Frankly it is already done (but as you point out it needn't be carried to this extreme) in most other fields as illustrated by the number of things that don't fail every day (the old joke about what a Microsoft-built car would be like contains some perceptive and valuable comparisons). Why do we tolerate and even expect failure in software?
I'd like to offer yet another plug for the Risks Digest as required and regular reading material for anyone designing anything - patterns of risk and error appear in all fields and much can be gained from the exercise of seeking parallels.
From the Fast Company article:
...Software is getting more and more common and more and
more important, but it doesn't seem to be getting more
and more reliable.
...admittedly they have a lot of advantages over the rest of the software world. They have a single product: one program that flies one spaceship. They understand their software intimately, and they get more familiar with it all the time. The group has one customer, a smart one. And money is not the critical constraint ... the group (is) among the nation's most expensive software organizations.
Now imagine if you will that the world's most popular OS had been built this way. For the vast majority of users, it would have saved countless hours of frustration and unproductive time, easily justifying a much higher per workstation price tag. Certainly there would be disadvantages (the first that comes to mind being the lack of flexibility), and it is difficult to see how this could have come about on such a scale, but to me it is an interesting scenario to consider.
--
I'd like to be able to assign to an luser | [reply] |
|
A key point is that when you do things right, doing things
correctly results in security.
OpenBSD's documented
audit procedure
underscores that. They don't look for security holes per
se. They look for bugs and fix them. Later on they find
out that at least some of their bugs were security holes.
And even if they weren't, well they at least got rid of
some bugs... :-)
| [reply] |
Re: Passport Security
by kwoff (Friar) on Dec 14, 2001 at 23:50 UTC
|
It can be done, but I think Microsoft will never release
"mission critical" code because it's not in their
best interest.
Quote from the article:
It is very clear that either Microsoft does not have sufficient
resources in place to properly review the security of their services
and software (it only took me about 30 minutes to come up with the
basics of the example exploit, why didn't they notice the same
issues?) or that they are aware of the shortcomings but decided that
attempting to gain market share was more important than their user's
security.
The reason Microsoft sucks is they have billions of
dollars and still botch it. That quote tells why:
their priority is making more billions, not security,
not the interest of the user (aside from what's minimally
required to keep them interested or FUDded).
Why would they waste time designing (they're already
late getting in the internet game) and debugging when
they can be making money? Then they can sell upgrades,
too, and claim it's some "new technology" or "experience".
I think something like Passport is far too important to
put in the hands of a company with a track record
like Microsoft, and I don't apologize for them one bit.
| [reply] |
|
You say that Microsoft is out to make more billions like it
was a bad thing.
Um, well of course Microsoft wants to make billions.
They are a business. Businesses are about making money.
Unless you want to throw out capitalism, this is going to
continue to be the case.
Were Microsoft taken out, would that improve things? I
rather strongly doubt it. The problem isn't which company
is currently top of the heap. Whether it is Microsoft,
Sony, AOL, Oracle etc doesn't really matter. What matters
is that companies which shortchange security are likely to
make plenty more billions of dollars.
Until that is solved, the specific advisories are just
symptoms.
Moving beyond that though, claims that Big Bad Evil
Microsoft was negligent would be more reasonable if they
made mistakes which were out of line with the current state
of the art. Do they? Well they make mistakes that are
out of line with what people who care about security think
that we should expect. But they don't (that I see)
make mistakes that are out of line with the norm
among software developers. The ones at the Monastery
included.
| [reply] |
|
Yes, Microsoft has made mistakes, and that is not necessarily a damning statement. But what is awkward is the reasons for these mistakes.
Microsoft has always looked to features/convenience as their #1 priority (unless you want to make "sounds good in marketspeak" to the list) and security has always been added as an afterthought.
The exploit on the page in question was doable because of Microsoft's belief that your HTML doesn't have to be correct to be parseable. It sounds good in theory, but what if they added the same "feature" to perl. The monastery would be up in arms. I personally don't think that expecting HTML to not be littered with garbage tags is so unthinkable.
Then you get into the "Security through Obscurity" practices, and I start to wonder, would you trust passport??
Furthermore, from looking at the details of the previous exploit, it would seem that future attacks will need to target users from one particular site. (Since finding the merchant ID is crucial to spoofing the server.) So, if you are a passport enabled site and 10,000 users get their credit card details stolen, you run a good risk that MS will go with the old "It's the merchant's fault" defense. This could be devastating to any onlie merchant. (Look at egghead.com)
I felt that the authors most insightful comment comes when he is discussing the "special hooks" used by Hotmail nee MS. If you are an early adopter of the passport service you help MS spread its influence by making it useful. Who knows if MS will use those special hooks to build a competing site.
This also begs the question, How much will passport know about your on-line transactions?? I am not even as worried about what they will do with the user data, as much as their ability to profile sales for cooperating companies. If they decide to become a competitor at a later date....
The fact that Microsoft is out to make billions is not the question, the question is how do they plan to make it.
So the Microsoft engineers make the same mistakes as the monks?? I for one would hope that MS uses some of those billions to hire programmers with more experience in security and programming than myself. Where is the testing?? Why are we always paying to join Microsoft's public betas??
The exploit on the page is related to a long standing Hotmail exploit, and passport just ups the prize for finding these exploits. Perhaps the new ThinkGeek T-shirt should be "I read your e-mail while using your credit card for phone sex."
They have used fairly weak encryption (MD5) and left some sensitive data out in the open. I think even most of the monks here would think... "Hmm, I should probably not leave the UID out in the open." Again, testing should have revealed weaknesses like these.
Finally, I would just like to harp on the changing nature of passport. From my own testing it appears that two passport servers do not behave the same way. Most likely due to the behind the scenes tweaking.
Toss in poor documentation, poor logging and eror recovery, and being logged on to wallet without realizing it?? I could just keep going....
Let's face it, if you had to in after this and "fix" this program, you'd cuss the developer for a year straight.
And can I just add that I freakin' hate IE. I do webpages, and I have some IE compatible pages with PURPOSEFUL ERRORS in them, designed to combat some of the render problems. Drives me nuts.
This message courtesy of Opera 6.0.
HamNRye
nothing4sale.org
| [reply] |
|
Re: Passport Security (slightly OT)
by fr3ez (Acolyte) on Dec 17, 2001 at 18:18 UTC
|
This post was very timely.
I was just considering on the weekend, how everything Microsoft is doing at the moment seems to rely more and more heavily on you using passport.
Having had experience with hotmail and spam, as I'm sure most others have. Researching Microsoft's Terms and Conditions I note:
Hotmail keeps your personally identifiable information private and does not share it with any third parties, unless you choose, at the time of registration, to be listed in either the Hotmail Directory or the Internet White Pages directory.
I created a test account some time ago to test this theory. I made 100% sure I was not subscribed to any bulletins or listed in any directories via their registration process. The account was also randomly generated characters.
Within 4 days I had my first spam and now the account regularly gets 4-5 a day. I have NEVER used this account for anything other than logging in for purposes of this test.
What is the relevence? Well it is clear Microsoft does on-sell your details despite their claims and explicit policy otherwise.
Now we also have the question of their security etc.
With more relience on Passport, and Microsoft wanting e-Wallets and whatever their next move is.
I'm not sure this is a company I feel comfortable with and would like to share so much information with. If I had never heard of Microsoft before and was evaluating them as a first time supplier or the like, I'm 100% certain they would be rejected.
Is it only because of their stranglehold on the market that we tolerate this behaviour? We can make a difference, and it will be a cold day in hell before I entrust them with details of a delicate nature.
P.S. I do use online banking and shopping, but only with companies I feel I can trust.
.oO fr3ez Oo.
| [reply] |
|
Well it is clear Microsoft does on-sell your details despite their claims and explicit policy otherwise.
Well, it is not that clear. Actually spammers could just guess your mailbox address. Last time I've checked it was possible to verify if any mailbox exist on hotmail.com using fake mail post technique (combination of MAIL FROM and RCPT TO commands). I've heard about spammers who do scan hotmail for existing mailboxes.
Don't get me wrong. I don't like M$ but I think it just stupid for them to sell your info to spammers. It hearts their image without earning too much money.
--
Ilya Martynov
(http://martynov.org/)
| [reply] |
|
|