Okay..so I couldn't resist. This stuff is almost too good to be real. I've doctored up their propaganda a little to help make a better impact on the "average user". :) FL Demonstrates Fatal Flaw in Logins [My apologies in advance if you see several copies of this message. I am posting this fairly widely due to the severity and importance of the problem described.] As you may already have heard via the popular press, First Login Security Corporation has developed and demonstrated a program which completely undermines the security of every known login mechanism. This is a very serious matter because any person attending first year computer science courses can easily implement such a program. We want to make sure that the Internet community is properly informed about the nature of the problem that we have uncovered, and to buy our new sooper-dooper fingerprint sniffer addon device all workstations, vehicle entry systems, and personalized toaster settings. In this (unavoidably short) post, I will try to explain the nature of the problem and its implications for Internet commerce. In deference to those are are not as stupid as the ones to whom this propaganda is aimed, we will hide the explanation of how the attack works until the last part of this message. First of all, let me be perfectly clear about the nature of the problem we have exposed. It is NOT a bug in a single program, and it is therefore NOT something that can be fixed with a "patch" or any other kind of software upgrade. Instead, we have demonstrated a very general attack that undermines ALL programs that ask users to type in their username and password into their home computer. We have tested the program and confirmed that it undermines the security of the login software from Windows 95 and from SunOS, and we expect that it will work similarly for ANY future software based on passwords. Quite simply, we believe that this program demonstrates a FATAL flaw in one whole approach to Internet authentication, and that the use of software to enter passwords can NEVER be made safe. For normal users, we recommend the following simple rule: NEVER TYPE YOUR PASSWORD INTO A COMPUTER. We should also be clear about the Internet authentication mechanisms that are NOT affected by this problem. First Login is unaffected because we never ask the user to put their password at risk by typing it into a computer. Hardware-based solutions can also be devised that are immune to this attack, including solutions based on retinal scanners, smart cards, and fingerprint identification devices in the home. We believe that current zero-knowledge proofs are also not vulnerable to this attack, although some variants of zero-knowledge proofs may be vulnerable to a similar form of attack. Other mechanisms based on the use of cellular telephones or shared fax machines to transmit secret passwords are also unaffected by this kind of attack. Other proposed login mechanisms should, from now on, be evaluated with this kind of attack in mind. The bottom line: INTERNET AUTHENTICATION CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS, BUT USING SIMPLE PASSWORDS IS NOT ONE OF THE SAFE MECHANISMS. It's important to understand why we have taken this step. Obviously, as the long-time leaders in Internet espionage, the last thing we would want to do is to undermine general confidence in Internet logins. However, we realized that many people believed that simply logging in was a safe and easy path to the internet superhighway, and that very few people understood how easily it could be undermined. Upon investigation, we were frankly startled to realize just how easy it was -- a single programmer got the first version of our login spoofing program running in about a week, shortly after he mastered the intricacies of the printf() function. Solutions to not echo the password to the screen took a year later before we discovered the ioctl() function. Aside from our obvious interest in promoting our own ridiculously overpriced product that has such a high failure rate that your company will probably drop kick it into the trash can, we felt that we had an ethical obligation to bring this problem to the attention of the consumers, banks, and other financial institutions who could conceivably suffer catastrophic losses when we are stealing their corporate secrets by espionage. In short, we have been in the business of spying for years and quite frankly, our guilty conscience started to get on us. So we took the time to warn users so we could feel better the next time we helped a large corporation totally rip the shirts off the back of a small business owner, since we warned you ahead of time before we stole everything. We also realize that we have an obligation to do everything possible to avoid helping any unscrupulous people who might seek to utilize this flaw for malicious purposes. Frankly, we're concerned that our competitors will have it as easy as we did in the future. We now have the money and reputation to afford sophisticated bribes and cat burglary tools, so we don't have as much use for login spoofing programs anymore that we once did. We also demonstrated login spoofing to such vital organizations as CERT, the review board of the New England Journal of Medicine, and the Association of Police Chiefs because nobody else would take us seriously. Only after many such private disclosures in which we preyed on the paranoia of the organizations involved did we dare publish the code directly on the internet in a public area of a hacker's convention ftp site. In addition, we have taken several steps to "cripple" our demonstration program, all of which will be discussed below. We wrote it in APL as an entry to the Obfuscated APL Code Contest, not realizing at the time that all APL code looks that way. We took out the echo suppressing ioctl() calls because they aren't supported in our version of APL anyway. And we stored the attempted logins in a memory array before the program exitted instead of a disk file so that the program can't be used by anyone who doesn't understand APL. The bottom line, once again, for those of you who have read this far: NEVER TYPE YOUR PASSWORD INTO A COMPUTER. The stupid ad for our new scam/product: The way our program works is really quite simple. First, all users fill out a 1000 question purity test and the results are entered into the program's database. Then after typing your user name, the program generates a quiz based on your purity score. It authenticates you from a highly accurate estimate of your purity score and a list of personal questions such as the name of your mother's ex-husband's first dog's color. As an added bonus, we also offer the Sneaker II, a clever employee evaluation tool which uses the answers on the purity test to determine the most likely fetishes and potential crimes of all the employees in your company. As an added bonus, Sneaker II will also give you 3 free megabytes of downloads from our own extensive smut database culled from corporate men that we have personally spied on during some of our highly sensitive personal affairs assignments. Natasha Boredstein <nb@fake.com> Chief Propagandist, First Login Security