Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

Dear Linkedin,

 

 

First page Previous page 1 2 3 4 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


bzs at world

Jun 10, 2012, 7:36 PM

Post #76 of 87 (675 views)
Permalink
Re: Dear Linkedin, [In reply to]

On June 10, 2012 at 19:47 apishdadi [at] gmail (Ameen Pishdadi) wrote:
>Don't know if someone already posted this but there forcing people
>the reset there passwords, but it let's you reset it to the same
>password as before... How many people are going to use the same pass?
>I'd say a good portion, LinkedIn needs some new isec employees

It's only Linkedin not bank accounts -- not that most people's bank
accounts are much to worry about either :-)

But what's dumb is that what they're asking for with that policy is a
big headache for themselves when accounts get messed up, whatever
pranksterism or nefarious deed, I dunno, spamming from someone's
cracked acct is a good example, and Linkedin's staff has to deal with
each and every one.

Maybe they lack imagination as to what they might be getting
themselves into.

--
-Barry Shein

The World | bzs [at] TheWorld | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD | Dial-Up: US, PR, Canada
Software Tool & Die | Public Access Internet | SINCE 1989 *oo*


a.harrowell at gmail

Jun 11, 2012, 12:38 AM

Post #77 of 87 (675 views)
Permalink
Re: Dear Linkedin, [In reply to]

The Cambridge University Computer Lab has had a crack at this question
in their Technical Report 817 on Web authentication:
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-817.html


Their conclusion is to use the Mozilla password manager (or close
analogue, but they like it because it's open source, free, and
available). Anyway, it's well worth reading.


A question: password managers are obviously a great idea, and password
manager + synchronisation takes care of multiple devices. However, if
the passwords themselves are poor, this doesn't help.


As well as a browser vault, we need a Passwords API to let a Web site
request the creation of a password. You will need:


a MakePassword() action that creates a random, cryptographically strong
password for the specified domain and specified username, with the
specified TTL, and registers it in the vault.


a same-domain constraint


an SSL only constraint


a RequestLogin() action, leading to either automatic login or a user
dialog as desired


a RevokePassword() action, that flushes the existing password and forces
the creation of a new one. this can be explicitly invoked, for example
after a security incident, or else activated when a TTL runs out.


a user interface action that permits the user to invoke Revoke on all or
a subset of the passwords.


This addresses: making up passwords, not sharing passwords, remembering
passwords, revoking compromised passwords.


No, it won't help if the evil maid sprays liquid nitrogen into your
laptop in suspend mode to render analysis of RAM easier yadda yadda, but
nothing will*, and if you face that kind of threat, you're operating in
a different league and passwords are the least of your worries. Because
you're not using them...are you?


Also, if the enemy can defeat SSL they can still phish you, but that's
going to be a very hard one to eliminate entirely, whatever happens.
(and how many security incidents are like that compared to ones
involving password compromises?)


Why didn't W3C do this 10 years ago? Kind of amazing, given how common a
pattern username/password is, that there is no mention of the word here:
http://www.w3.org/TR/


*you can of course encrypt the disk that contains the password vault,
but in general, someone with physical access will win.

--
The only thing worse than e-mail disclaimers...is people who send e-mail
to lists complaining about them
Attachments: signature.asc (0.19 KB)


johnl at iecc

Jun 11, 2012, 11:35 AM

Post #78 of 87 (674 views)
Permalink
Re: Dear Linkedin, [In reply to]

>From someone who supplies an out-of-country drivers license, I'd request to
>see their passport. From someone who supplies an out-of-state drivers
>license, I'd probably accept it, but the risks there are somewhat reduced at
>least.

OK, someone shows you a Quebec driver's license. You ask for a
passport, she says, I don't have one, and points at the blue word Plus
after the words Permis de Conduire at the top of the license. Now
what?

Although banks have different tradeoffs in risk management than you
might like, they're not dumb. I expect they figured that the increased
volume from not slowing down transactions and demanding more than makes
up for whatever the increased fraud. This theory is reinforced by my
observation that at my local supermarket, they don't even ask for the
signature that they don't look at for purchases under $50.

R's,
John


jared at puck

Jun 11, 2012, 11:48 AM

Post #79 of 87 (674 views)
Permalink
Re: Dear Linkedin, [In reply to]

On Jun 11, 2012, at 2:35 PM, John Levine wrote:

> OK, someone shows you a Quebec driver's license. You ask for a
> passport, she says, I don't have one, and points at the blue word Plus
> after the words Permis de Conduire at the top of the license. Now
> what?

Banks and most retailers actually have a book with photos and details of various security aspects of the license and ID cards in-use. For fun, I have presented my "Global Entry" ID card at the bank for a transaction to see if they had seen it before.

The US Federal Government tried to standardize on HSPD-12, now about 5 years old.

Making a secure document, or something that uses PKI such as this is harder than it may initially seem. This is why I'm not the one designing them.

- Jared


jra at baylink

Jun 11, 2012, 11:53 AM

Post #80 of 87 (674 views)
Permalink
Re: Dear Linkedin, [In reply to]

----- Original Message -----
> From: "John Levine" <johnl [at] iecc>

> Although banks have different tradeoffs in risk management than you
> might like, they're not dumb. I expect they figured that the increased
> volume from not slowing down transactions and demanding more than makes
> up for whatever the increased fraud. This theory is reinforced by my
> observation that at my local supermarket, they don't even ask for the
> signature that they don't look at for purchases under $50.

Another point here is that *just asking for ID, and observing the patron's
mien when they give it to you* filters out 2 whole categories of low-hanging
fruit attackers.

Cheers,
-- jr 'each user discovers a new category of bugs' a
--
Jay R. Ashworth Baylink jra [at] baylink
Designer The Things I Think RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274


owen at delong

Jun 11, 2012, 12:05 PM

Post #81 of 87 (672 views)
Permalink
Re: Dear Linkedin, [In reply to]

Sent from my iPad

On Jun 11, 2012, at 11:35 AM, "John Levine" <johnl [at] iecc> wrote:

>> From someone who supplies an out-of-country drivers license, I'd request to
>> see their passport. From someone who supplies an out-of-state drivers
>> license, I'd probably accept it, but the risks there are somewhat reduced at
>> least.
>
> OK, someone shows you a Quebec driver's license. You ask for a
> passport, she says, I don't have one, and points at the blue word Plus
> after the words Permis de Conduire at the top of the license. Now
> what?

To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.

So, I'd probably pass on the transaction unless she wanted to select another form of payment.

> Although banks have different tradeoffs in risk management than you
> might like, they're not dumb. I expect they figured that the increased
> volume from not slowing down transactions and demanding more than makes
> up for whatever the increased fraud. This theory is reinforced by my
> observation that at my local supermarket, they don't even ask for the
> signature that they don't look at for purchases under $50.

Indeed, as I have said, for small purchases where the transaction rate can be high, swipe and go makes sense to me. I'm talking about larger purchases that involve a lengthier sales process anyway.

Owen


simon.perreault at viagenie

Jun 11, 2012, 12:14 PM

Post #82 of 87 (673 views)
Permalink
Re: Dear Linkedin, [In reply to]

On 2012-06-11 15:05, Owen DeLong wrote:
>> OK, someone shows you a Quebec driver's license. You ask for a
>> passport, she says, I don't have one, and points at the blue word Plus
>> after the words Permis de Conduire at the top of the license. Now
>> what?
>
> To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.

Your knowledge needs an update! ;)

http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php

Simon
--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca
STUN/TURN server --> http://numb.viagenie.ca


alter3d at alter3d

Jun 11, 2012, 12:35 PM

Post #83 of 87 (675 views)
Permalink
Re: Dear Linkedin, [In reply to]

On 12-06-11 03:14 PM, Simon Perreault wrote:
> On 2012-06-11 15:05, Owen DeLong wrote:
>>> OK, someone shows you a Quebec driver's license. You ask for a
>>> passport, she says, I don't have one, and points at the blue word Plus
>>> after the words Permis de Conduire at the top of the license. Now
>>> what?
>>
>> To the best of my knowledge, ICE stopped accepting DL for admission
>> from Canada several years ago.
>
> Your knowledge needs an update! ;)
>
> http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php
>
>
> Simon

Yup, various Canadian provinces now issue "newer, better" driver's
licenses that are accepted by ICE for entry to the US by land or sea
only (not by air, you still need a passport or NEXUS for that). Here
in Ontario, they're called "Enhanced" driver's licenses, and only have
minor differences from regular driver's licenses -- they have the word
"Enhanced" on them, and they contain an RFID chip which is scanned at
the border for ID & verification purposes. Oh, and they cost an extra
$40 when you renew them. The enhanced licenses were rolled out at
pretty much the same time as the US entry requirements changed, so if
you were a keener and got an enhanced card when they were first
available, absolutely nothing would have changed for you, except that
your wallet is now a bit lighter and you have a shiny new card.

It's left as an exercise to the reader as to whether the word "Enhanced"
printed on a card and an RFID tag are, in fact, any more secure than
what we had before....

- Pete


stephen at sprunk

Jun 11, 2012, 12:37 PM

Post #84 of 87 (675 views)
Permalink
Re: Dear Linkedin, [In reply to]

On 11-Jun-12 14:05, Owen DeLong wrote:
> On Jun 11, 2012, at 11:35 AM, "John Levine" <johnl [at] iecc> wrote:
>> OK, someone shows you a Quebec driver's license. You ask for a passport, she says, I don't have one, and points at the blue word Plus after the words Permis de Conduire at the top of the license. Now what?
> To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.

Only non-enhanced ("plus" in Quebec) drivers licenses. See:
http://www.dhs.gov/files/crossingborders/travelers.shtm

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking
Attachments: smime.p7s (2.26 KB)


gabe at teksavvy

Jun 11, 2012, 12:38 PM

Post #85 of 87 (673 views)
Permalink
Re: Dear Linkedin, [In reply to]

On Jun 11, 2012, at 3:14 PM, Simon Perreault wrote:

> On 2012-06-11 15:05, Owen DeLong wrote:
>>> OK, someone shows you a Quebec driver's license. You ask for a
>>> passport, she says, I don't have one, and points at the blue word Plus
>>> after the words Permis de Conduire at the top of the license. Now
>>> what?
>>
>> To the best of my knowledge, ICE stopped accepting DL for admission from Canada several years ago.
>
> Your knowledge needs an update! ;)
>
> http://www.saaq.gouv.qc.ca/en/driver_licence/licence_plus/licence_plus.php
>

How the heck did this conversation go from Linkedin to a Quebec drivers license? I'm not sure how relevant this is to NANOG. Both subject matters that is.

-Gabe


surfer at mauigateway

Jun 11, 2012, 12:41 PM

Post #86 of 87 (674 views)
Permalink
Re: Dear Linkedin, [In reply to]

--- gabe [at] teksavvy wrote:
From: Gabriel Blanchard <gabe [at] teksavvy>

How the heck did this conversation go from Linkedin to a Quebec drivers license? I'm not sure how relevant this is to NANOG. Both subject matters that is.
------------------------------


New to nanog, eh? ;-)

scott


jcdill.lists at gmail

Jun 12, 2012, 7:32 AM

Post #87 of 87 (665 views)
Permalink
Re: Dear Linkedin, [In reply to]

On 11/06/12 12:38 AM, Alexander Harrowell wrote:
> A question: password managers are obviously a great idea, and password
> manager + synchronisation takes care of multiple devices.

Go ahead and use one of these password managers and load it with all
your passwords. Then load it's smartphone app on your smartphone, and
report back how well it works to load your secure password into the
Facebook App, the Flickr App, the Twitter App, the (fill-in-the-blank)
App for the 1001 Apps you have on your phone.

To the best of my knowledge, there is no password manager that
*seamlessly* syncs your password with a computer and with smartphone
apps. And in case you haven't noticed, more and more computing (and
logging in) is done with smartphone apps these days.

This is still very much an un-solved problem. Fixing it so it works on
just one computer (using a password manager) is solved. Fixing it so it
works on several "regular" computers (synching password managers) is
solved - although this also puts your passwords in the possession of
another party (to allow the synching to work). Fixing it so you can
login seamlessly and easily from all types of computers including
computers you don't own (when visiting/traveling) is NOT a solved
problem, and if you use a password manager and think it makes your life
easy, then you suddenly find you can't login to anything (e.g. you are
traveling and lose your phone and need to login to your email account,
with a password you don't remember, you only have the secure password
for your password manager) you will find out how NOT easy this solution
really is.

jc

First page Previous page 1 2 3 4 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.