1996-06-29 - Re: CIA Fears UmpTeen InfoNukes

Header Data

From: frantz@netcom.com (Bill Frantz)
To: cypherpunks@toad.com
Message Hash: 624bb66e8b53b432d6223ec228683fa09f7a1f524a94107f0f7e7d69eef98406
Message ID: <199606272352.QAA10348@netcom7.netcom.com>
Reply To: N/A
UTC Datetime: 1996-06-29 00:20:06 UTC
Raw Date: Sat, 29 Jun 1996 08:20:06 +0800

Raw message

From: frantz@netcom.com (Bill Frantz)
Date: Sat, 29 Jun 1996 08:20:06 +0800
To: cypherpunks@toad.com
Subject: Re: CIA Fears UmpTeen InfoNukes
Message-ID: <199606272352.QAA10348@netcom7.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At  6:38 PM 6/27/96 -0400, Vin McLellan wrote:
>        On Cypherpunks-L, Vin McLellan wrote:
>
>>>...  The real threat is incompetent, poor-trained DoD
>>>system administrators -- and a class of computer-illiterate senior managers
>>>who define "system security" and routine administration as a marginal
>>>expenses and scorn readily available options like one-time passwords as too
>>>complex for the military mind.
>
>        Bill Frantz <frantz@netcom.com> responded:
>
>>Public key authentication could go a long way toward solving the military
>>and contractor's security problems.  However, they won't use public key
>>authentication for unclassified systems until it is available in "COTS"
>>(Commercial, Off The Shelf) software.  And it won't be available there
>>until it can be exported as well as sold domestically.  Catch-22
>
>        I love PKC with all its promise, but you overstate (and IMHO,
>attribute inappropriately) the barriers that slow the adoption of one-time
>password authentication in the military... and many other more highly
>regarded IS environments.

On thinking about your rant, I think you have a valid point.  What our
venture capitalists said to us was, "There is no market for security."  Now
perhaps the ITAR helps suppress that market on the basis of, "If I'm going
to have to wander the information superhighway naked, why should I shut the
blinds on my house."  Given no market, and the requirement to support
everything you ever supported, it is hard to justify building in security
features.


>        No, in this case, the blame is spread far more widely.  Yes, DoD
>and other meta-institutions have been slow to acknowledge and act upon the
>obvious solution to their biggest and most obvious vulnerability.  [One 
>Time Passwords - WSF]  Security
>is still seen as a marginal item in the budget -- not something that must
>be designed into both the technology or implicit in its responsible
>management.

I have a client who provides services to part of the DOD.  (My contract
prevents me from being more specific.)  Their only saving grace is they
don't use the Internet or Unix.  (Making them vulnerable to a much smaller
group of hackers.)

The ideal situation for them would be to use public key authentication
because it would be entirely user-transparent.  Doing OTP's the way Apple
does them (see below) would also work well.  However, to implement one of
these systems requires modifying a bunch of terminal emulator programs from
different vendors (some of whom are no longer in business).  Without widely
adopted standards for OTP logon, these modifications are not likely to
happen.


>        But they've been able to get away with it because the hardware
>vendors and big software companies -- the very firms which now harp on ITAR
>denying them the international market -- have been so hesitant to risk
>their margins by designing security into their number crunchers...

I think that backward compatibility requirements are a significant part of
the reason we see this problem.  The other part is, of course, that there
is no market for security.

Apple has a form of one time passwords in their file sharing system.  When
you enter your password, it is used as a key to encrypt a challenge sent by
the file server (Using a symmetric cypher).  The result is returned,
decrypted and compared with the original challenge.  But this system didn't
have to be compatible with a hardware VT100 or TTY-33.


>        Somehow, firing, fining, demoting, or making liable for damages,
>any designated system administrator who can't find the time (within, say, a
>week) to apply vendor-circulated patches for vulnerabilities announced by
>CERT is too extreme a proposal...

The problem, in general, isn't the system administrators.  If management
gave the same priority to security that it does to joining new users or
installing new hardware, sysadmins would have the time to install the
patches.  Most sysadmins are up to their asses in alligators.  Security is
something to put off.  If the managers were judged on the security of their
systems (perhaps via independent audit), then they might give the problem
some priority.


-------------------------------------------------------------------------
Bill Frantz       | The Internet may fairly be | Periwinkle -- Consulting
(408)356-8506     | regarded as a never-ending | 16345 Englewood Ave.
frantz@netcom.com | worldwide conversation.    | Los Gatos, CA 95032, USA







Thread