Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Passport Security

by tilly (Archbishop)
on Dec 14, 2001 at 13:57 UTC ( #131914=perlmeditation: print w/ replies, xml ) Need Help??

I recently ran across an interesting article on how Passport security works, and what some of the flaws with it are, including a construction of an exploit (now fixed). As noted, while there is now a road-block for that specific exploit, the underlying problems are still there, and a motivated observer could readily construct another.

I am not bringing up this article because I think that Microsoft has done an unduly horrible job in constructing their Passport service. I am bringing it up because I think they haven't. Oh don't get me wrong. I am not saying that Microsoft did a good job of getting it right because they didn't. I am saying that I wouldn't expect to see someone else doing a better job.

What is their real mistake? That they have a consistent pattern of small oversights, which make it easy for a determined exploiter to find their way forward. They have cross-site scripting holes. Congratulations, most people do. They have attempted to filter out known dangerous constructs rather than forcing known valid input. Congratulations, even though that is ass-backwards if you want security, that is the common immediate response. They have focussed on features over security. They and (much chest beating notwithstanding) everyone else.

As has come up in past discussions, this site does little better. (Visit tye's home page.) It would be a sucker bet to predict that many of the people here have worked with corporate code-bases that do substantially worse things. In fact many still do. And if you haven't had the displeasure, your turn will probably come.

So re-read it. Not with an eye towards, "Microsoft sucks!" but with an eye towards, "Would I know to do better?" Because as the oft-regurgitated but seldom understood mantra goes, security is a process. It is a process that we get wrong, over and over again. People have fundamental misunderstandings that are guaranteed to lead to problems. And that means that the process which is security needs some debugging.

And so I finish by reminding people of the fundamental point that you should avoid parsing (re-read again, seeing how that theme applies) and with an inspirational story from the Space Shuttle about what debugging a process can look like. (Before everyone jumps up and down and says that that cannot be done, stop. It can be done. It may not be worth going to that extreme all of the time, but IMNSHO people can and should habitually do more that way than they do now.)

Comment on Passport Security
(ichimunki) Re: Passport Security
by ichimunki (Priest) on Dec 14, 2001 at 21:52 UTC
    I would offer this footnote: saying "security is a process" is not specific enough. While that aphorism captures the essence that the work is ongoing, it omits any mention of what the process actually involves-- managing risks. Specifically, clarifying risks, identifying vulnerabilities, and taking appropriate action to mitigate threats.

    update: I also want to add that any security plan worth having around has the proactive steps I mentioned but doesn't stop until it also includes incident detection, incident response, and backup and recovery planning.
Re: Passport Security
by kwoff (Friar) on Dec 14, 2001 at 23:50 UTC
    It can be done, but I think Microsoft will never release "mission critical" code because it's not in their best interest.

    Quote from the article:

    It is very clear that either Microsoft does not have sufficient resources in place to properly review the security of their services and software (it only took me about 30 minutes to come up with the basics of the example exploit, why didn't they notice the same issues?) or that they are aware of the shortcomings but decided that attempting to gain market share was more important than their user's security.

    The reason Microsoft sucks is they have billions of dollars and still botch it. That quote tells why: their priority is making more billions, not security, not the interest of the user (aside from what's minimally required to keep them interested or FUDded). Why would they waste time designing (they're already late getting in the internet game) and debugging when they can be making money? Then they can sell upgrades, too, and claim it's some "new technology" or "experience". I think something like Passport is far too important to put in the hands of a company with a track record like Microsoft, and I don't apologize for them one bit.

      You say that Microsoft is out to make more billions like it was a bad thing.

      Um, well of course Microsoft wants to make billions. They are a business. Businesses are about making money. Unless you want to throw out capitalism, this is going to continue to be the case.

      Were Microsoft taken out, would that improve things? I rather strongly doubt it. The problem isn't which company is currently top of the heap. Whether it is Microsoft, Sony, AOL, Oracle etc doesn't really matter. What matters is that companies which shortchange security are likely to make plenty more billions of dollars.

      Until that is solved, the specific advisories are just symptoms.

      Moving beyond that though, claims that Big Bad Evil Microsoft was negligent would be more reasonable if they made mistakes which were out of line with the current state of the art. Do they? Well they make mistakes that are out of line with what people who care about security think that we should expect. But they don't (that I see) make mistakes that are out of line with the norm among software developers. The ones at the Monastery included.

        Yes, Microsoft has made mistakes, and that is not necessarily a damning statement. But what is awkward is the reasons for these mistakes.

        Microsoft has always looked to features/convenience as their #1 priority (unless you want to make "sounds good in marketspeak" to the list) and security has always been added as an afterthought.

        The exploit on the page in question was doable because of Microsoft's belief that your HTML doesn't have to be correct to be parseable. It sounds good in theory, but what if they added the same "feature" to perl. The monastery would be up in arms. I personally don't think that expecting HTML to not be littered with garbage tags is so unthinkable.

        Then you get into the "Security through Obscurity" practices, and I start to wonder, would you trust passport??

        Furthermore, from looking at the details of the previous exploit, it would seem that future attacks will need to target users from one particular site. (Since finding the merchant ID is crucial to spoofing the server.) So, if you are a passport enabled site and 10,000 users get their credit card details stolen, you run a good risk that MS will go with the old "It's the merchant's fault" defense. This could be devastating to any onlie merchant. (Look at egghead.com)

        I felt that the authors most insightful comment comes when he is discussing the "special hooks" used by Hotmail nee MS. If you are an early adopter of the passport service you help MS spread its influence by making it useful. Who knows if MS will use those special hooks to build a competing site.

        This also begs the question, How much will passport know about your on-line transactions?? I am not even as worried about what they will do with the user data, as much as their ability to profile sales for cooperating companies. If they decide to become a competitor at a later date....

        The fact that Microsoft is out to make billions is not the question, the question is how do they plan to make it.

        So the Microsoft engineers make the same mistakes as the monks?? I for one would hope that MS uses some of those billions to hire programmers with more experience in security and programming than myself. Where is the testing?? Why are we always paying to join Microsoft's public betas??

        The exploit on the page is related to a long standing Hotmail exploit, and passport just ups the prize for finding these exploits. Perhaps the new ThinkGeek T-shirt should be "I read your e-mail while using your credit card for phone sex."

        They have used fairly weak encryption (MD5) and left some sensitive data out in the open. I think even most of the monks here would think... "Hmm, I should probably not leave the UID out in the open." Again, testing should have revealed weaknesses like these.

        Finally, I would just like to harp on the changing nature of passport. From my own testing it appears that two passport servers do not behave the same way. Most likely due to the behind the scenes tweaking.

        Toss in poor documentation, poor logging and eror recovery, and being logged on to wallet without realizing it?? I could just keep going....

        Let's face it, if you had to in after this and "fix" this program, you'd cuss the developer for a year straight.

        And can I just add that I freakin' hate IE. I do webpages, and I have some IE compatible pages with PURPOSEFUL ERRORS in them, designed to combat some of the render problems. Drives me nuts.

        This message courtesy of Opera 6.0.

        HamNRye
        nothing4sale.org

Re: Passport Security
by Albannach (Prior) on Dec 14, 2001 at 23:57 UTC
    I must thank you for that link to the excellent article on the software design process used for the Space Shuttle. In the context of your thread title it reminds me that security isn't really special but should simply be another part of the software specification, a specification that is so well thought-through that one wouldn't need to put special attention on security in an attempt to make sure it worked. The focus on security (or any other feature) almost always fails to some degree, and it seems that it isn't security that is the problem, it is the whole software design process that is the problem.

    The shuttle article discusses at length the differences between the software design culture and other more established professions, and this also reminds me of the ongoing debate in some circles about whether "software engineering" is really engineering, and whether it should be. (We have discussed this here before, here is a good example).

    This leads me to your final point that this can be done. Frankly it is already done (but as you point out it needn't be carried to this extreme) in most other fields as illustrated by the number of things that don't fail every day (the old joke about what a Microsoft-built car would be like contains some perceptive and valuable comparisons). Why do we tolerate and even expect failure in software? I'd like to offer yet another plug for the Risks Digest as required and regular reading material for anyone designing anything - patterns of risk and error appear in all fields and much can be gained from the exercise of seeking parallels.

    From the Fast Company article:

    ...Software is getting more and more common and more and more important, but it doesn't seem to be getting more and more reliable.

    ...admittedly they have a lot of advantages over the rest of the software world. They have a single product: one program that flies one spaceship. They understand their software intimately, and they get more familiar with it all the time. The group has one customer, a smart one. And money is not the critical constraint ... the group (is) among the nation's most expensive software organizations.

    Now imagine if you will that the world's most popular OS had been built this way. For the vast majority of users, it would have saved countless hours of frustration and unproductive time, easily justifying a much higher per workstation price tag. Certainly there would be disadvantages (the first that comes to mind being the lack of flexibility), and it is difficult to see how this could have come about on such a scale, but to me it is an interesting scenario to consider.

    --
    I'd like to be able to assign to an luser

      A key point is that when you do things right, doing things correctly results in security. OpenBSD's documented audit procedure underscores that. They don't look for security holes per se. They look for bugs and fix them. Later on they find out that at least some of their bugs were security holes. And even if they weren't, well they at least got rid of some bugs... :-)
Re: Passport Security (slightly OT)
by fr3ez (Acolyte) on Dec 17, 2001 at 18:18 UTC
    This post was very timely.
    I was just considering on the weekend, how everything Microsoft is doing at the moment seems to rely more and more heavily on you using passport.

    Having had experience with hotmail and spam, as I'm sure most others have. Researching Microsoft's Terms and Conditions I note:
    Hotmail keeps your personally identifiable information private and does not share it with any third parties, unless you choose, at the time of registration, to be listed in either the Hotmail Directory or the Internet White Pages directory.

    I created a test account some time ago to test this theory. I made 100% sure I was not subscribed to any bulletins or listed in any directories via their registration process. The account was also randomly generated characters.

    Within 4 days I had my first spam and now the account regularly gets 4-5 a day. I have NEVER used this account for anything other than logging in for purposes of this test.

    What is the relevence? Well it is clear Microsoft does on-sell your details despite their claims and explicit policy otherwise.
    Now we also have the question of their security etc.

    With more relience on Passport, and Microsoft wanting e-Wallets and whatever their next move is.
    I'm not sure this is a company I feel comfortable with and would like to share so much information with. If I had never heard of Microsoft before and was evaluating them as a first time supplier or the like, I'm 100% certain they would be rejected.

    Is it only because of their stranglehold on the market that we tolerate this behaviour? We can make a difference, and it will be a cold day in hell before I entrust them with details of a delicate nature.

    P.S. I do use online banking and shopping, but only with companies I feel I can trust.

    .oO fr3ez Oo.
      Well it is clear Microsoft does on-sell your details despite their claims and explicit policy otherwise.

      Well, it is not that clear. Actually spammers could just guess your mailbox address. Last time I've checked it was possible to verify if any mailbox exist on hotmail.com using fake mail post technique (combination of MAIL FROM and RCPT TO commands). I've heard about spammers who do scan hotmail for existing mailboxes.

      Don't get me wrong. I don't like M$ but I think it just stupid for them to sell your info to spammers. It hearts their image without earning too much money.

      --
      Ilya Martynov (http://martynov.org/)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://131914]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chanting in the Monastery: (4)
As of 2014-07-13 05:24 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (246 votes), past polls