FL Demonstrates Fatal Flaw in Logins

[Paul E. Campbell]

Okay..so I couldn't resist. This stuff is almost too good to be real. I've
doctored up their propaganda a little to help make a better impact on the
"average user". :)

FL Demonstrates Fatal Flaw in Logins

[My apologies in advance if you see several copies of this message.  I
am posting this fairly widely due to the severity and importance of the
problem described.]

As you may already have heard via the popular press, First Login Security
Corporation has developed and demonstrated a program which completely
undermines the security of every known login mechanism. This is a very
serious matter because any person attending first year computer science
courses can easily implement such a program. We want to make sure that the
Internet community is properly informed about the nature of the problem that
we have uncovered, and to buy our new sooper-dooper fingerprint sniffer
addon device all workstations, vehicle entry systems, and personalized
toaster settings. In this (unavoidably short) post, I will try to explain
the nature of the problem and its implications for Internet commerce. In
deference to those are are not as stupid as the ones to whom this propaganda
is aimed, we will hide the explanation of how the attack works until the last
part of this message.

First of all, let me be perfectly clear about the nature of the problem
we have exposed.  It is NOT a bug in a single program, and it is
therefore NOT something that can be fixed with a "patch" or any other
kind of software upgrade.  Instead, we have demonstrated a very general
attack that undermines ALL programs that ask users to type in their username
and password into their home computer.  We have tested the program and
confirmed that it undermines the security of the login software from Windows
95 and from SunOS, and we expect that it will work similarly for ANY future
software based on passwords.  Quite simply, we believe that this program
demonstrates a FATAL flaw in one whole approach to Internet authentication,
and that the use of software to enter passwords can NEVER be made safe.
For normal users, we recommend the following simple rule:

NEVER TYPE YOUR PASSWORD INTO A COMPUTER.

We should also be clear about the Internet authentication mechanisms that
are NOT affected by this problem.  First Login is unaffected because we
never ask the user to put their password at risk by typing it into
a computer.  Hardware-based solutions can also be devised that are
immune to this attack, including solutions based on retinal scanners,
smart cards, and fingerprint identification devices in the home.  We believe
that current zero-knowledge proofs are also not vulnerable to this attack,
although some variants of zero-knowledge proofs may be vulnerable to a similar
form of attack.  Other mechanisms based on the use of cellular telephones or
shared fax machines to transmit secret passwords are also unaffected by this
kind of attack.  Other proposed login mechanisms should, from now on,
be evaluated with this kind of attack in mind.  The bottom line: 
INTERNET AUTHENTICATION CAN BE VERY SAFE, WITH SEVERAL DIFFERENT MECHANISMS,
BUT USING SIMPLE PASSWORDS IS NOT ONE OF THE SAFE MECHANISMS.

It's important to understand why we have taken this step.  Obviously, as
the long-time leaders in Internet espionage, the last thing we would want
to do is to undermine general confidence in Internet logins.  However,
we realized that many people believed that simply logging in was a
safe and easy path to the internet superhighway, and that very few people
understood how easily it could be undermined.  Upon investigation, we
were frankly startled to realize just how easy it was -- a single
programmer got the first version of our login spoofing program running in
about a week, shortly after he mastered the intricacies of the printf()
function. Solutions to not echo the password to the screen took a year
later before we discovered the ioctl() function. Aside from our obvious
interest in promoting our own ridiculously overpriced product that has such
a high failure rate that your company will probably drop kick it into the
trash can, we felt that we had an ethical obligation to bring this
problem to the attention of the consumers, banks, and other financial
institutions who could conceivably suffer catastrophic losses when we are
stealing their corporate secrets by espionage.  In short, we have been in
the business of spying for years and quite frankly, our guilty conscience
started to get on us.  So we took the time to warn users so we could feel
better the next time we helped a large corporation totally rip the shirts
off the back of a small business owner, since we warned you ahead of time
before we stole everything.

We also realize that we have an obligation to do everything possible to
avoid helping any unscrupulous people who might seek to utilize this
flaw for malicious purposes.  Frankly, we're concerned that our competitors
will have it as easy as we did in the future.  We now have the money and
reputation to afford sophisticated bribes and cat burglary tools, so we
don't have as much use for login spoofing programs anymore that we once
did.  We also demonstrated login spoofing to such vital organizations as
CERT, the review board of the New England Journal of Medicine, and the
Association of Police Chiefs because nobody else would take us seriously.
Only after many such private disclosures in which we preyed on the paranoia
of the organizations involved did we dare publish the code directly on the
internet in a public area of a hacker's convention ftp site.

In addition, we have taken several steps to "cripple" our demonstration
program, all of which will be discussed below.  We wrote it in APL as an
entry to the Obfuscated APL Code Contest, not realizing at the time that
all APL code looks that way. We took out the echo suppressing ioctl() calls
because they aren't supported in our version of APL anyway. And we stored
the attempted logins in a memory array before the program exitted instead of
a disk file so that the program can't be used by anyone who doesn't
understand APL.

The bottom line, once again, for those of you who have read this far:

NEVER TYPE YOUR PASSWORD INTO A COMPUTER.

The stupid ad for our new scam/product:

The way our program works is really quite simple. First, all users fill out
a 1000 question purity test and the results are entered into the program's
database.

Then after typing your user name, the program generates a quiz based on your
purity score. It authenticates you from a highly accurate estimate of your
purity score and a list of personal questions such as the name of your
mother's ex-husband's first dog's color.

As an added bonus, we also offer the Sneaker II, a clever employee evaluation
tool which uses the answers on the purity test to determine the most likely
fetishes and potential crimes of all the employees in your company. As an
added bonus, Sneaker II will also give you 3 free megabytes of downloads from
our own extensive smut database culled from corporate men that we have
personally spied on during some of our highly sensitive personal affairs
assignments.

Natasha Boredstein <nb at fake.com>
Chief Propagandist, First Login Security