On Cypherpunks-L, Vin McLellan wrote:
... The real threat is incompetent, poor-trained DoD system administrators -- and a class of computer-illiterate senior managers who define "system security" and routine administration as a marginal expenses and scorn readily available options like one-time passwords as too complex for the military mind.
Bill Frantz <frantz@netcom.com> responded:
Public key authentication could go a long way toward solving the military and contractor's security problems. However, they won't use public key authentication for unclassified systems until it is available in "COTS" (Commercial, Off The Shelf) software. And it won't be available there until it can be exported as well as sold domestically. Catch-22
I love PKC with all its promise, but you overstate (and IMHO, attribute inappropriately) the barriers that slow the adoption of one-time password authentication in the military... and many other more highly regarded IS environments. Security Dynamics (a client of mine) has sold a million SecurID two-factor OTP tokens internationally -- and its ACE/Server installations are freely exported to 20-odd nations, even with its embedded DES code. There is no barrier against exporting OTP authentication systems, either two-factor tokens or software! Bellcore's s/key is available world-wide in both the popular freeware versions and Bellcore's commercial client/server version -- and the US Navy developed and circulates widely its own freeware rewrite of the s/key OTP code: OPIE. Free and commercial OTP code has been effectively COTS for years! I would be greatly surprised if there has been a published report on the state of security in the US computer or communications infrastructure anytime in the past five years which has not highlighted the promise of OTPs to plug the single most eggregious systemic vulnerability in the installed base of networked computer systems: static, unchanging, user passwords vulnerable to anyone with a wayward sniffer utility or (to collect them by the bushel) able to logon to a target site with one of those stolen passwords to drop a trojan. Without trustworthy user authentication there is no meaningful computer security, period! Sen. Sam Nunn, who is now chairing the Congressional hearings on Security in Cyberspace, is a bright guy -- although he is reputed to be utterly innocent of basic computer skills. Yet Sam Nunn could have pulled off the total penetration of the 30 USAF computer systems at Rome Labs -- the tale of incompetence witnesses described so luridly at his recent hearings -- with a couple of hours of simple tutorials from anyone on this List. The British 16 year-old who did it just religiously collected passwords -- working the Net from his 25 MHz 486 SX pc with a 170 Megabyte hard drive. The "Datastream Cowboy" liked to hack .MIL systems because -- as he was quoted explaning, in an analysis by the Nunn's subcommittee staff -- they are "so insecure." CERT, DISA, NIST, OTA, GAO, even NSA -- they've all issued stacks of reports with the same redundant recommendations. Even CERT, fer cripes sake! Reusable passwords are the hole in the dyke! It's a mantra among the security pros; has been for years: "Shift to OTPs for meaningful security in networked systems." Yes, there are still threats to the communication links without network encryption -- but with OTPs, even those vulnerabilities become vastly more managable. With universal adoption of OTPs for multi-user systems, 80 percent (??) of the problem would disappear and we could worry (as we must) about bad code in Sendmail and other widely-used apps and system products. Then, we could blame our sense of vulnerability on the self-interested spooks and the short-sighted politicians who deny us and our culture the personal security of widespread quality encryption. But it's not that simple. Access to encryption is one issue; separate and distinct from the issue of the adoption of one-time password technologies. OTP user authentication -- and the vast increase in the security and integrity of our computers and networks it could bring to our government and private sector information systems -- is _Not_ dependent upon the government releasing encryption (PKC or other) from its spooky bondage. You don't need PKC for quality authentication. They are complementary technologies (thus, the proposed merger of Security Dynamics and RSA) but they are not the same. They are not even necessarily interdependent. You can have weak authentication with utterly secure network encryption. No, in this case, the blame is spread far more widely. Yes, DoD and other meta-institutions have been slow to acknowledge and act upon the obvious solution to their biggest and most obvious vulnerability. Security is still seen as a marginal item in the budget -- not something that must be designed into both the technology or implicit in its responsible management. But they've been able to get away with it because the hardware vendors and big software companies -- the very firms which now harp on ITAR denying them the international market -- have been so hesitant to risk their margins by designing security into their number crunchers. And they've been able to get away with that because the whimpy class of professionals who design, impliment, and manage the computer installations upon which our nation (many nations!) and our industrial culture depend has been unable to get it together to define or condemn irresponsible, unprofessional stewardship of these assets. People carp about soul-less lawyers. Money-grubbing MDs. Sell-out CPAs. But has there ever been a class of technical professionals so adept at denying all responsibility for the proper and responsible management of the power and assets they control as we professional technocrats of the computer culture? By contrast, lawyers, MDs, etc., are bastions of probity and social and professional responsibility! How low do you have to sink to find some unacceptable level -- some level of incompetent system administration that carries the burden of liability? A standard beneath which a professional's peers would judge him or her reckless and irresponsible, lacking due care, unprofessional? Frankly, I've never been able to find out. (And, to judge by the lack of judicial condemnation of corporate and public managers for mismanagement of other people's electronic assets, neither have the Courts.) Think of it: our culture could be about to be irretrievably transformed by a series of laws drafted by the American subculture of spys (both the police and the real spooks) and passed by legislators stampeded into reckless action by a heartfelt but hysterical sense that our computer-based national infrastructure is vulnerable to bored teanagers just bright enough to scoop up the static passwords that circulate unprotected on our networks; to run CRACK against readily-available "secured" password files full of what everybody knows are guessable passwords; or to slip through system backdoors announced world-wide by CERT and FIRST alerts... but never patched, closed, or fixed. Sad. No -- it's absurdly tragic! Nunn's subcommittee will leap from considering poor Datastream's vaunted outlaw prowess to offer, in the weeks to come, yet another proposal for guaranteed government access to private sector crypto keys. (And this one might fly with the Nation -- all those Nations -- At Risk.) Somehow, firing, fining, demoting, or making liable for damages, any designated system administrator who can't find the time (within, say, a week) to apply vendor-circulated patches for vulnerabilities announced by CERT is too extreme a proposal. OTPs are too simple a solution. Better to toy with the potential for repression than risk the revolutionary idea of personal and professional responsibility. They say People ultimately get what they deserve. Computer professionals better pray that this is not the case. _Vin (Zounds! This was to be merely my two cents, but then the wind caught my sails. Apologies for the overheated bandwidth.) Vin McLellan +The Privacy Guild+ <vin@shore.net> 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*>