From: vin@shore.net (Vin McLellan)
Date: Sat, 29 Jun 1996 07:31:09 +0800
To: cypherpunks@toad.com
Subject: Re: CIA Fears UmpTeen InfoNukes
Message-ID: <v02140b00adf8924b5fe4@[198.115.179.228]>
MIME-Version: 1.0
Content-Type: text/plain


        On Cypherpunks-L, Vin McLellan wrote:

>>...  The real threat is incompetent, poor-trained DoD
>>system administrators -- and a class of computer-illiterate senior managers
>>who define "system security" and routine administration as a marginal
>>expenses and scorn readily available options like one-time passwords as too
>>complex for the military mind.

        Bill Frantz <frantz@netcom.com> responded:

>Public key authentication could go a long way toward solving the military
>and contractor's security problems.  However, they won't use public key
>authentication for unclassified systems until it is available in "COTS"
>(Commercial, Off The Shelf) software.  And it won't be available there
>until it can be exported as well as sold domestically.  Catch-22

        I love PKC with all its promise, but you overstate (and IMHO,
attribute inappropriately) the barriers that slow the adoption of one-time
password authentication in the military... and many other more highly
regarded IS environments.

        Security Dynamics (a client of mine) has sold a million SecurID
two-factor OTP tokens internationally -- and its ACE/Server installations
are freely exported to 20-odd nations, even with its embedded DES code.
There is no barrier against exporting OTP authentication systems, either
two-factor tokens or software!  Bellcore's s/key is available world-wide in
both the popular freeware versions and Bellcore's commercial client/server
version -- and the US Navy  developed and circulates widely its own
freeware rewrite of the s/key OTP code: OPIE.

        Free and commercial OTP code has been effectively COTS for years!
I would be greatly surprised if there has been a published report on the
state of security in the US computer or communications infrastructure
anytime in the past five years which has not highlighted the promise of
OTPs to plug the single most eggregious systemic vulnerability in the
installed base of networked computer systems: static, unchanging, user
passwords vulnerable to anyone with a wayward sniffer utility or (to
collect them by the bushel) able to logon to a target site with one of
those stolen passwords to drop a trojan.

        Without trustworthy user authentication there is no meaningful
computer security, period!  Sen. Sam Nunn, who is now chairing the
Congressional hearings on Security in Cyberspace, is a bright guy --
although he is reputed to be utterly innocent of basic computer skills.
Yet Sam Nunn could have pulled off the total penetration of the 30 USAF
computer systems at Rome Labs -- the tale of incompetence witnesses
described so luridly at his recent hearings -- with a couple of hours of
simple tutorials from anyone on this List.

        The British 16 year-old who did it just religiously collected
passwords -- working the Net from his 25 MHz 486 SX pc with a 170 Megabyte
hard drive.   The "Datastream Cowboy" liked to hack .MIL systems because --
as he was quoted explaning, in an analysis by the Nunn's subcommittee staff
-- they are "so insecure."

        CERT, DISA, NIST, OTA, GAO, even NSA -- they've all issued stacks
of reports with the same redundant recommendations.  Even CERT, fer cripes
sake!  Reusable passwords are the hole in the dyke!  It's a mantra among
the security pros; has been for years: "Shift to OTPs for meaningful
security in networked systems."

        Yes, there are still threats to the communication links without
network encryption -- but with OTPs, even those vulnerabilities become
vastly more managable.  With universal adoption of OTPs for multi-user
systems, 80 percent (??) of the problem would disappear and we could worry
(as we must) about bad code in Sendmail and other widely-used apps and
system products. Then, we could blame our sense of vulnerability on the
self-interested spooks and the short-sighted politicians who deny us and
our culture the personal security of widespread quality encryption.

        But it's not that simple.  Access to encryption is one issue;
separate and distinct from the issue of the adoption of one-time password
technologies.  OTP user authentication -- and the vast increase in the
security and integrity of our computers and networks it could bring to our
government and private sector information systems -- is _Not_ dependent
upon the government releasing encryption (PKC or other) from its spooky
bondage.

        You don't need PKC for quality authentication.  They are
complementary technologies (thus, the proposed merger of Security Dynamics
and RSA) but they are not the same.  They are not even necessarily
interdependent.  You can have weak authentication with utterly secure
network encryption.

        No, in this case, the blame is spread far more widely.  Yes, DoD
and other meta-institutions have been slow to acknowledge and act upon the
obvious solution to their biggest and most obvious vulnerability.  Security
is still seen as a marginal item in the budget -- not something that must
be designed into both the technology or implicit in its responsible
management.

        But they've been able to get away with it because the hardware
vendors and big software companies -- the very firms which now harp on ITAR
denying them the international market -- have been so hesitant to risk
their margins by designing security into their number crunchers.  And
they've been able to get away with that because the whimpy class of
professionals who design, impliment, and manage the computer installations
upon which our nation (many nations!) and our industrial culture depend has
been unable to get it together to define or condemn irresponsible,
unprofessional stewardship of these assets.

        People carp about soul-less lawyers.  Money-grubbing MDs.  Sell-out
CPAs.  But has there ever been a class of technical professionals so adept
at denying all responsibility for the proper and responsible management of
the power and assets they control as we professional technocrats of the
computer culture?  By contrast, lawyers, MDs, etc., are bastions of probity
and social and professional responsibility!

        How low do you have to sink to find some unacceptable level -- some
level of incompetent system administration that carries the burden of
liability? A standard beneath which a professional's peers would judge him
or her reckless and irresponsible, lacking due care, unprofessional?
Frankly, I've never been able to find out.  (And, to judge by the lack of
judicial condemnation of corporate and public managers for mismanagement of
other people's electronic assets, neither have the Courts.)

        Think of it: our culture could be about to be irretrievably
transformed by a series of laws drafted by the American subculture of spys
(both the police and the real spooks) and passed by legislators stampeded
into reckless action by a heartfelt but hysterical sense that our
computer-based national infrastructure is vulnerable to bored teanagers
just  bright enough to scoop up the static passwords that circulate
unprotected on our networks; to run CRACK against readily-available
"secured" password files full of what everybody knows are guessable
passwords; or to slip through system backdoors announced world-wide by CERT
and FIRST alerts... but never patched, closed, or fixed.

        Sad.  No -- it's absurdly tragic!  Nunn's subcommittee will leap
from considering poor Datastream's vaunted outlaw prowess to offer, in the
weeks to come, yet another proposal for guaranteed government access to
private sector crypto keys.  (And this one might fly with the Nation -- all
those Nations -- At Risk.)

        Somehow, firing, fining, demoting, or making liable for damages,
any designated system administrator who can't find the time (within, say, a
week) to apply vendor-circulated patches for vulnerabilities announced by
CERT is too extreme a proposal.  OTPs are too simple a solution. Better to
toy with the potential for repression than risk the revolutionary idea of
personal and professional responsibility.

        They say People ultimately get what they deserve.  Computer
professionals better pray that this is not the case.


                        _Vin

        (Zounds!  This was to be merely my two cents, but then the wind
caught my sails. Apologies for the overheated bandwidth.)


         Vin McLellan +The Privacy Guild+ <vin@shore.net>
      53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548
                         <*><*><*><*><*><*><*><*><*>