::scr tales from the crypto

David Cantrell scr@thegestalt.org
Sun, 21 Apr 2002 21:38:31 +0100


On Fri, Apr 19, 2002 at 10:39:46AM -0700, jonah wrote:

> Now, I recently had cause to start to do some boning up on security
> matters in order to fix and sort out a compromised RedHat box[0] ...
>
> [0] It's a Debian box now.

Oh good, you did the right thing.  Once a box has been haxX0red, the only
way to re-secure it is to reinstall from known-good media.

> What I keep reading again and again is that one of the main problems
> facing security and cryptography is the conflict between utility and
> usability[1]. As I understand it, this conflict arises from the need for
> security to be quite complex in order to be implemented usefully, and yet
> in order to ensure it's widespread use it needs to be transparent enough
> at the user end to be accessable by Johnny X. L. Spreadsheet.

I am not convinced that just because security and cryptography tools are
currently hard to use (OK ok, have fucking awful interfaces which even the
most leet of experts have trouble with at times) means that this is
inevitable.

> For instance, I've read that one of the main problems with crypto in
> general is that the concepts of how it works can be tricky to grok. I must
> admit that my grasp of how the key-based system used by P?GPG? actually
> works is shaky at best

You're not alone.  I do grok it, but even so I have to think carefully when
explaining it, because *how* it works is a bit weird.

>                        but then I haven't put a lot of effort into
> finding out before now because it Just Works.

Yes, how it works should be less important to ordinary users than the fact
that it DOES work.  Trouble is, with the lamentable state that the tools
are in right now, if you don't understand how it works, you'll probably not
use the tools very effectively.  That, however, is a "mere matter of
programming" (and sysadminning).

>            Any of you IAs looked at this problem? Or should we just set
> the bar higher for users? Is that even a realistic response given the
> widespread public use of computers these days? If so, how can we rectify
> that? Do we instigate a much more intensive program of IT training for
> nippers? This could spin off into social solutions as well as
> technological or interface solutions. Or better yet, all three.

Yes, I do think the bar should be set higher.  It shouldn't be a 'hard'
bar of course - idiots driving computers can hurt themselves but not others,
so we shouldn't ban them altogether.  But I would love to see lack of
computer-driving clue become as much of a social stigma as lack of car-
driving clue.  Training would of course be a good thing, but everywhere I
look, education about computers is turning into mere instruction on how
to use whatever the flavour-of-the-month is in crappy office tools.  Maybe
someone needs to organise a concerted hack on all the schools in the
country to persuade them of just how important real understanding of these
things is.

> And what about the nuts and bolts? It often seems to me that a lot of the
> underlying structure of networked computing isn't fundamentally suited to
> security, due to the environment in which it was developed

Indeed.  For cost reasons, real computers are designed to have more than
one user.  More than one user == insecurity.  For convenience, there are
trust relationships in networks.  Trust relationships == insecurity.
Commercial software writers are under pressure to implement features X
Y and Z instead of to merely implement feature X securely, because even
though the latter would benefit the users, the former benefits the
marketting lichriture and so benefits the company's profits.  Commercial
concerns == insecurity.  The fundamental technologies behind the inertnet
were designed for a much more trustworthy world - university professors
and the like, so they are fundamentally insecure.  IP and TCP, for example,
provide almost as close to fuck-all in terms of data integrity checking,
end-point authentication, user authentication etc as it is possible to get.
I don't blame anyone for that.  But I don't see IPv6 or any other
technological white knight as fixing that.

The simple fact is that too much has been done because it was convenient -
that is, usability has been seen as being of greater importance than
security.  Now that that has changed, and we view security as being as
important, we have horrendous problems trying to retrofit security onto
fundamentally insecure systems.  It is a maxim of security that if you
don't design for security from the start, you're fucked.

>                                                            (and perhaps
> also due to a lack of low grade paranoia, high grade cynicism and
> s00per-psychic precognitive powers on the part of the people who built
> it). :) Is this fixable at this late a stage? 

Yes, but not without lots of pain.

> In practical terms, all you sysadmins, what're the good habits that you
> most *wish* your users would get into as regards security? What can we do
> to help? Ask not what your network can do for you ...

Difficult question.  The users *I* have on the network I control are
pretty good about most stuff.  It probably helps that they know perfectly
well that they'll get shat on from a great height if they're naughty, and
that they don't have any financial strings to pull.

Looking at other networks I have adminned in the past and on which I work
now, I think the most useful thing I could realistically ask of them is
that they involve operational and security staff in their projects right
from the start instead of just dumping insecure messes on us and expecting
us to magically fix them in the two hours before they "must" be launched.
I would point out that operational and security staff should be involved
in all aspects of the company's operations, not just those which immediately
involve computers.  A case in point - when I was made redundant from the
ex-NMCWDNSIN, all my remote access kept working, all my passwords kept
working INCLUDING THE ROOT PASSWORDS ON THE COMPANY-WIDE MAIL SERVER, because
no-one had thought to tell the other admins and security folks.  I was the
one who told them.  Now, I left on friendly terms, but even so, they were
stupid to not do that.

The most useful *un*realistic thing I could ask most of the users to do
is to go back to school and learn social skills and logic.  Oh, and
gaining a basic grasp of the English language would be kinda useful too.

> Related tangent: Heh, what's the favourite LARTing you've ever given?

It wasn't pleasant at the time, but it was firing someone for being an idiot.
I won't go into details, but this person had done something he had
specifically been told not to do just a few hours earlier.  I felt
dirty getting rid of him, as he was quite a nice person, but looking
back, it's really quite funny how he begged to be allowed to keep his job.
It's even funnier that he gave my name as a reference for his application
for another job.

-- 
Grand Inquisitor Reverend David Cantrell | http://www.cantrell.org.uk/david

          All praise the Sun God
          For He is a Fun God
          Ra Ra Ra!