[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ProgSoc] Confused about security (Was: Hacked hotmail account?)



On Saturday 03 June 2006 5:02 pm, Andrew Halliday wrote:
 ] Stupidity is as irrelevant to my query as is your repetition.

 Stupidity was the basis of your query.

 Okay, that's a bit harsh.

 It may be better described as incompetence.

 <re the "Remember me on this computer" bit>
 ] Yes Jedd, I've said so at least once before in this thread, this box
 ] is not checked in any of my explorations of this 'feature'.

 You did not mention this in the original email, or the subsequent
 ersatz shitgramme you sent my way.   You may have since mentioned
 it, but I'd probably nodded off into my cornflakes by then.

 What you haven't done is respond to my question about what your
 cookie values are, esp. the 'rememberme' cookie, as well as the
 expiry time on the other gmail related cookies.  This is a shame,
 as that information may be quite revealing, even if it doesn't
 mean much to you.

 ] I don't use any password managers on the browser level or the OS
 ] level. I don't even trust keychain with app passwords in Mac OSX.

 Well, no, you'd be crazy to do that.

 Much better to keep them all the same (actually, it's not) so you
 can remember them (or it), or to keep them in a text file somewhere
 (actually, that's not either).

 What's your problem with password managers, can I ask?  What
 approach do you use to securing your various accounts on various
 machines around the place?

 ] >  You do realise that this isn't what single sign on refers to,
 ] >  don't you?  It might be handy to read up on SSO before going for
 ] >  any gigs that involve ... well, maybe not.
 ] 
 ] Semantics.

 Well, yes, pedantic though it may seem to you, when talking to someone
 about technical things it's much easier if they have an understanding
 of the terms and concepts involved in same.

 And when did semantics become a pejorative anyway?

 {sigh}

 Probably around the same time that ignorance became a point of view.

 ] I understand what SSO is. I'll rephrase to satiate the
 ] resident pedant then. They should have single login enforcement.

 You haven't yet demonstrated why they *should* have such an
 enforcement, btw.  In this email or any previous ones.

 ] In
 ] that you should only be able to be logged in once from a single
 ] terminal, and that if another login attempt is made it invalidates
 ] both sessions even if it's from within the same terminal.

 There's some delightful DoS scenarios that I can envisage
 from this kind of setup.  Unless you mean another login, rather
 than just a login attempt, at the B-end?

 I know, I know .. another of those nasty semantic things.  It's so
 frustrating when people demand that you say what you mean,
 rather than just find homophones that roughly match the kind of
 concept that you may have been thinking about at the time.

 ] Yes. Most people already _do_ have it imposed on them.

 How so?  Which gmail users have this imposed on them, and how
 is it imposed upon them?

] So you'd be OK with concurrent persistent login sessions to your
 ] internet banking? Then you could leave it open on not one but all your
 ] terminals.

 We're talking about mail, not bank.  I tend to be connected to my
 gmail account for 15 hours a day, if not longer.  I'd suspect most
 people are authenticated to their gmail account for 8+ hours
 a day, 5+ days a week.  I use internet banking once a month, and
 I suspect most people login to their internet banking account maybe
 between one and four times a month.

 So yes, there is a difference in usage patterns here, as well as the
 Generally Obvious difference in impact if one or the other is
 compromised.

 I was suggesting that there's no technical reasons for a DB-driven
 mail client to have limits on concurrent logins -- it's not like
 pine (or similar) that needs sole and direct access to the underlying
 mail files that it is playing with.

 To answer your question, I'd be okay with my password and login
 name for my internet banking account to be stored within my password
 manager, yes.  On broadband this effectively means permanently
 authenticated (from a user experience POV), and that's close enough
 for me.

 ] How is single session enforcement inelegant? It's secure ...it puts the
 ] user in control because the user knows they have the only active
 ] session. Which to me when I read my email or do net banking is kind of
 ] a nice thing to know that when I'm logged in, someone else can't be.

 So for the 15 minutes a week that you're net-banking, you feel secure
 because no one else could possibly be using your account during
 those fifteen minutes?

 Golly.

 (Btw, have you tried logging into your internet bank account from
 two separate machines concurrently?  If you ran a small business
 and had two accountants working for you, would you want for them
 to both be able to access the account at the same time?  And yes, I
 know things don't work that way .. it's a hypothetical, remember.)

 ] Considering how common it is for web services to enforce a single
 ] login session policy, I think your spiel of inappropriateness doesn't
 ] apply.

 This is, as you observe, a policy decision in most cases -- and I'd
 suggest it stems from a desire for users to not share accounts, and
 that in turn is probably based on a financial impetus.

 I doubt many people flog it as a security 'feature'.

 ] I think I've already made my case above. It appears the difference is
 ] that I care about personal security when it comes to sensitive
 ] information site session management -and you don't.

 Absolutely.

 This is evinced by the fact that you posted a message wherein you:

 a)  stated that you sometimes login then leave your computer
       unattended and unlocked,

 b) observed that you haven't worked out how to manage cookies,
      and consequently persistent session data on your computer,

 c)  implied that you had done squiddly-dit investigation of the
      cookies that relate to this.

 ] My argument is that single login session = less exposure, with less
 ] opportunity for people to gain unauthorised access to your personal
 ] data, whether email or my fav new example net banking.

 Hmm .. I don't think you've presented a compelling argument, though.

 By less exposure, do you mean less risk, or more likelihood of being
 observed?

 If the latter, then this insight, feature, understanding and advocacy
 of hotmail's approach, hasn't helped the original poster (inability
 to lock down their account remotely, using hotmail).

 Would you suggest that single logins to, say, incubus would be a
 good idea?  Would that be more secure, or less secure, or have
 a near-zero impact on security?

 We certainly do seem to have moved a long way from your original
 complaint that you sometimes forget to log off, haven't we ...

 ] Not quite. For my experiments Firefox is configured as described above
 ] by you -not to limit cookies and not to remember passwords. I quit
 ] Firefox, logoff, restart log back in, launch Firefox, navigate to
 ] gmail.com and then automagically it logs me in.

 I'm not very familiar with Firefox -- does it have one of those
 'quickstart' facilities, where the bulk of it is loaded at startup,
 and runs throughout the entire time you're logged in, even when
 you quit (the visible portion of) the application proper?  I know
 some other browsers do this kind of thing, and it can lead to
 confusing results when testing cookie and session based features.

 ] People might have password protected desktop sessions, but what's the
 ] timeout when you walk away? Again, this is heading away from the
 ] scenario I outlined.

 You haven't worked in many offices, have you?

 Timeout is irrelevant.  Policy is generally to lock (ctrl-alt-del on
 95% of office machines) as you stand up and walk away.  The other
 common alternative is things like 'mouse in top left corner for >2s'
 to trigger the passworded screen saver, etc.

 Most places I've worked have had an informal policy attached
 to this, at least in the IT department, that any unattended, unlocked
 machine that is found, gets an email sent from it to everyone in IT,
 declaring their everlasting love for OS/2, the Hoff, or the Roxy.

 ] So by deduction you're saying that GMail is a step forward in the
 ] world of webmaiil by allowing multiple simultaneous sessions with no
 ] way for the end user to deactivate them except manually at each
 ] authenticated terminal. Stop smoking crack. That's a stupid idea.

 I'm saying that concurrent logins are not the evil that you think
 them to be.

 And I don't smoke crack.

 Apart from that, any deductions you make are your own.

 Jedd.


-
You are subscribed to the progsoc mailing list. To unsubscribe, send a
message containing "unsubscribe" to progsoc-request@xxxxxxxxxxxxxxxxxxx
If you are having trouble, ask owner-progsoc@xxxxxxxxxxxxxxxxxx for help.