At 6:38 PM 6/27/96 -0400, Vin McLellan wrote:
On Cypherpunks-L, Vin McLellan wrote:
... The real threat is incompetent, poor-trained DoD system administrators -- and a class of computer-illiterate senior managers who define "system security" and routine administration as a marginal expenses and scorn readily available options like one-time passwords as too complex for the military mind.
Bill Frantz <frantz@netcom.com> responded:
Public key authentication could go a long way toward solving the military and contractor's security problems. However, they won't use public key authentication for unclassified systems until it is available in "COTS" (Commercial, Off The Shelf) software. And it won't be available there until it can be exported as well as sold domestically. Catch-22
I love PKC with all its promise, but you overstate (and IMHO, attribute inappropriately) the barriers that slow the adoption of one-time password authentication in the military... and many other more highly regarded IS environments.
On thinking about your rant, I think you have a valid point. What our venture capitalists said to us was, "There is no market for security." Now perhaps the ITAR helps suppress that market on the basis of, "If I'm going to have to wander the information superhighway naked, why should I shut the blinds on my house." Given no market, and the requirement to support everything you ever supported, it is hard to justify building in security features.
No, in this case, the blame is spread far more widely. Yes, DoD and other meta-institutions have been slow to acknowledge and act upon the obvious solution to their biggest and most obvious vulnerability. [One Time Passwords - WSF] Security is still seen as a marginal item in the budget -- not something that must be designed into both the technology or implicit in its responsible management.
I have a client who provides services to part of the DOD. (My contract prevents me from being more specific.) Their only saving grace is they don't use the Internet or Unix. (Making them vulnerable to a much smaller group of hackers.) The ideal situation for them would be to use public key authentication because it would be entirely user-transparent. Doing OTP's the way Apple does them (see below) would also work well. However, to implement one of these systems requires modifying a bunch of terminal emulator programs from different vendors (some of whom are no longer in business). Without widely adopted standards for OTP logon, these modifications are not likely to happen.
But they've been able to get away with it because the hardware vendors and big software companies -- the very firms which now harp on ITAR denying them the international market -- have been so hesitant to risk their margins by designing security into their number crunchers...
I think that backward compatibility requirements are a significant part of the reason we see this problem. The other part is, of course, that there is no market for security. Apple has a form of one time passwords in their file sharing system. When you enter your password, it is used as a key to encrypt a challenge sent by the file server (Using a symmetric cypher). The result is returned, decrypted and compared with the original challenge. But this system didn't have to be compatible with a hardware VT100 or TTY-33.
Somehow, firing, fining, demoting, or making liable for damages, any designated system administrator who can't find the time (within, say, a week) to apply vendor-circulated patches for vulnerabilities announced by CERT is too extreme a proposal...
The problem, in general, isn't the system administrators. If management gave the same priority to security that it does to joining new users or installing new hardware, sysadmins would have the time to install the patches. Most sysadmins are up to their asses in alligators. Security is something to put off. If the managers were judged on the security of their systems (perhaps via independent audit), then they might give the problem some priority. ------------------------------------------------------------------------- Bill Frantz | The Internet may fairly be | Periwinkle -- Consulting (408)356-8506 | regarded as a never-ending | 16345 Englewood Ave. frantz@netcom.com | worldwide conversation. | Los Gatos, CA 95032, USA