On 26/05/06 12:49 -0700, Tina Bird wrote:

> MS, heaven help us all, has taken the idea of user authentication and
> authorization a step further by building the *only* possible enterprise wide
> IPsec management infrastructure in the world, by allowing orgs to tie user
> rights and machine communications policies into a crypto infrastructure.

Other than the breakage of the Kerberos standard, there isn't much wrong
with the _design_ of Microsoft's infrastructure management systems.

The implementations suck. The worse part is that MSFT has been selling
Windows as easy to administer, and encouraging clueless MCSEs. They have
created a culture where computers are unreliable and black magic.

Microsoft is great in an all Microsoft shop. In a mixed ecosystem? I
wouldn't think so (but I have no real experience of that environment, so
take a very large pinch of salt).

> they've been using that capability since before blaster, to give admins a
> better way to do firewalling than using the silly firewall that comes with
> XP. this is a huge big deal, and they've done it very quietly. i don't
> understand *why* they're so quiet about it, actually, especially with all

The threats against Windows? Viruses, software which needs administrator
access to run, lousy administrators, users, backwards compatibility....

The most recent security requirement I heard in a Linux IRC channel was
"If an attacker guesses my password, and logs into my machine, he should
not be able to do anything, but I should have no such restrictions".

That is the level of security desired by a lot of people. There isn't
much you can do to stop this.

I don't need to actively attack your servers directly. I just need to
hijack your browser most of the time. Does it matter how good your
credential and policy management tools are, if the attackers controls
the credentials?

The crackers are already ahead of the security tools. If you stop buffer
overflows, the attacks move up the stack. The problem has just been
shuffled, not fixed.

With everything moving to a browser based thin client, yesterday's
buffer overflow is today's SQL injection. With administrators gaining
control over identity mappings, the game is on to steal identities.

The final weakness is not in the digital systems. We can control those.
The weakness is not in the analog components. We have been dealing with
those for years and have a fair idea of failure modes (though they keep
repeating). The weakness is where the analog world meets the digital. If
you can secure that boundary, you can actually be secure. An additional
requirement is that failure modes in analog components also need to be safe.

The credentials questions is finally one of proving your analog world
identity to the digital world interface. This can be answered by one or
more of "who you are, what you have, and what you know". The amount of
authority in each of these keeps on decreasing from left to right.

Who you are is the most authoritative answer (biometrics).
What you have is slightly less authoritative (a keyfob? an access card?)
What you know is the least authoritative (a password?).

However, when your security systems fail, what you know is the easiest
and cheapest to replace. What you have is more expensive. Who you are
isn't exactly replacable. Note that I am not saying _if_ they fail, I am
saying _when_ they fail.

We also have to consider that we all have multiple roles and
authentication requirements for every role. Every website you visit,
every online and offline transaction you do, every email you send or
receive ....

Your personal data is scattered everywhere. There are so many sites
which need passwords and logins. If a lot of these moved to real two
factor authentication, we would still end up carrying a huge number of
keyfobs or cards or other tokens. If you build a single token for
everything, you lose on anonymity.

Real world security depends to a certain extent on anonymity, or at
least on certain information not being available to other parties.

Identify theft is pretty common, and damaging. There have been other,
worse excesses triggered by having too much information available to the
wrong set of people.

Devdas Bhagat
firewall-wizards mailing list