RISKS-LIST: Risks-Forum Digest Thursday 7 April 2011 Volume 26 : Issue 42 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/26.42.html> The current issue can be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [APOLOGIES. This was supposed to go out earlier. PGN] Mark another security problem done and solved. Web login systems are flawless and here to stay. (Kevin Fu) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: April 1, 2011 From: Kevin Fu <kevinfu_at_private> Subject: Mark another security problem done and solved. Web login systems are flawless and here to stay. It's been nearly ten years since the the USENIX Security [1] "cookie eaters" paper [2] and the humor-less talk [3] that provided a secure cookie authentication scheme and claimed to demonstrate weaknesses in commercially deployed web login systems at places like the Wall Street Journal [4]. Follow-up discussion appeared in a 2001 CACM Inside Risks column [5]. I've finally decided to come clean; I'd like to officially recant the 2001 USENIX Security paper for three reasons: Web login systems are inherently flawless [6] and any problem is the user's fault; no one has ever found any problems in a realistic scenario [7], and the authors cannot possibly be real people. Scientists occasionally publish erroneous results. First, the problems were way overblown. I mean, who even logs into web sites today anyway? Gopher and FTP have the most opportunity to gain mind share; the Web is already saturated. The New York Times [8] recently followed suit with the WSJ paywall to install secure web authentication systems. It's flawless. And if you really need extra security, just use a two factor authentication dongle [9]. Or pick a password like changeme123 [10]. Second, neither count thou two [11]. Third, the authors are not real. It turns out I had nothing to do with this paper at all. I mean, just look at the photo of those four kids at USENIX Security [12]. Have you ever seen me wear tennis shoes and jeans? Clearly that should have been a tip off that some Fu-doppelgänger was involved. Nick [13] and Emil [14] might have been duped, and Dan Wallach was certainly was a replicant. I mean, look at Dan [12]. He's wearing khakis. There's no way that's really Dan [15]. And has anyone ever seen Kendra [16]? Some think that she saw our totems and tricked us into inception of this cookie authentication fable. For all we know, she probably joined the NSA! Only a few years ago did I awake from my cryogenic suspension after SCADA systems [17] for the local power substation failed. In the meantime, this Fu doppelgänger managed to build up my publication record. Thank goodness for Stuxnet [18] or I might never have woken. Let me explain what happened. After dabbling with Merkle trees in file systems [19] in the late 1990s, I asked Ralph Merkle for a good place for ice cream because Tosci's was closing at the MIT student center [20]. But he misinterpreted and sent me to his cryogenic chamber [21]. One you log in, you don't log out. Upon thawing, I was quite surprised to learn that Christof Paar and Ari Juels tricked my doppelgänger into organizing a workshop on aphid security and privacy [22]. The poor little bugs get such a bad wrap because they are so tiny yet can damage the leaves of a Merkle tree. If you are still reading this, you must be depressed about the state of security of web authentication and everything else---whether it's 2001 or 2010. April Fools! Cheers, Kevin [1] http://www.usenix.org/events/sec01/ [2] http://prisms.cs.umass.edu/bibliography/kevin.php?q=webauth:sec10 [3] http://www.cs.umass.edu/~kevinfu/talks/Fu-cookie-slides.pdf [4] http://www.cs.umass.edu/~kevinfu/news/wsj.html [5] http://www.csl.sri.com/users/neumann/insiderisks.html#135 [6] http://codebutler.com/firesheep [7] http://www.crypto.com/bingo/pr [8] http://ocunwired.ocregister.com/2011/03/29/how-to-circumvent-ny-times-pay-wall/6851/ [9] http://www.computerweekly.com/blogs/david_lacey/2011/03/rsa_hack_is_a_timely_reminder.html [10] http://www.thetechherald.com/article.php/201106/6785/Report-HBGary-used-as-an-object-lesson-by-Anonymous [11] http://en.wikipedia.org/wiki/Holy_Hand_Grenade_of_Antioch [12] http://www.usenix.org/events/sec01/DCphotos/02.jpg [13] http://www.cc.gatech.edu/~feamster/ [14] http://www.emilsit.net/ [15] http://www.cs.rice.edu/~dwallach/ [16] http://www.amazon.com/Five-Ways-Disappearing-Kendra-Smith/dp/B0000251JQ [17] http://www.schneier.com/blog/archives/2007/10/staged_attack_c.html [18] http://en.wikipedia.org/wiki/Stuxnet [19] http://www.google.com/search?q=sfs+read-only+file+system [20] http://tech.mit.edu/V127/N64/toscaninis.html [21] http://www.merkle.com/cryo/ [22] http://rfid-cusp.org/rfidsec/ Kevin Fu Assistant Professor Computer Science Department University of Massachusetts Amherst http://www.cs.umass.edu/~kevinfu/ ------------------------------ Date: Thu, 29 May 2008 07:53:46 -0900 From: RISKS-request_at_private Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks. => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) if possible and convenient for you. The mailman Web interface can be used directly to subscribe and unsubscribe: http://lists.csl.sri.com/mailman/listinfo/risks Alternatively, to subscribe or unsubscribe via e-mail to mailman your FROM: address, send a message to risks-request_at_private containing only the one-word text subscribe or unsubscribe. You may also specify a different receiving address: subscribe address= ... . You may short-circuit that process by sending directly to either risks-subscribe_at_private or risks-unsubscribe_at_private depending on which action is to be taken. Subscription and unsubscription requests require that you reply to a confirmation message sent to the subscribing mail address. Instructions are included in the confirmation message. Each issue of RISKS that you receive contains information on how to post, unsubscribe, etc. => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> The full info file may appear now and then in RISKS issues. *** Contributors are assumed to have read the full info file for guidelines. => .UK users should contact <Lindsay.Marshall_at_private>. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you NEVER send mail! => SUBMISSIONS: to risks_at_private with meaningful SUBJECT: line. *** NOTE: Including the string "notsp" at the beginning or end of the subject *** line will be very helpful in separating real contributions from spam. *** This attention-string may change, so watch this space now and then. => ARCHIVES: ftp://ftp.sri.com/risks for current volume or ftp://ftp.sri.com/VL/risks for previous VoLume <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue. Lindsay has also added to the Newcastle catless site a palmtop version of the most recent RISKS issue and a WAP version that works for many but not all telephones: http://catless.ncl.ac.uk/w/r <http://the.wiretapped.net/security/info/textfiles/risks-digest/> . ==> PGN's comprehensive historical Illustrative Risks summary of one liners: <http://www.csl.sri.com/illustrative.html> for browsing, <http://www.csl.sri.com/illustrative.pdf> or .ps for printing ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 26.42 ************************Received on Thu Apr 07 2011 - 20:32:15 PDT
This archive was generated by hypermail 2.2.0 : Fri Apr 08 2011 - 00:14:10 PDT
