Whitehouse Tackels Cybersecurity

There are server-origin attacks to consider as well, beyond the more
obvious password capture, etc. Consider agent and X11 forwarding, for
which we've recently added some discussion to OpenSSH ssh_config(5):

     ForwardAgent
             Specifies whether the connection to the authentication agent (if
             any) will be forwarded to the remote machine. The argument must
             be ``yes'' or ``no''. The default is ``no''.

             Agent forwarding should be enabled with caution. Users with the
             ability to bypass file permissions on the remote host (for the
             agent's Unix-domain socket) can access the local agent through
             the forwarded connection. An attacker cannot obtain key material
             from the agent, however they can perform operations on the keys
             that enable them to authenticate using the identities loaded into
             the agent.

     ForwardX11
             Specifies whether X11 connections will be automatically redirect-
             ed over the secure channel and DISPLAY set. The argument must be
             ``yes'' or ``no''. The default is ``no''.

             X11 forwarding should be enabled with caution. Users with the
             ability to bypass file permissions on the remote host (for the
             user's X authorization database) can access the local X11 display
             through the forwarded connection. An attacker may then be able
             to perform activities such as keystroke monitoring.

Sunday afternoon is full of tutorials on lots of different subjects.
Has anyone volunteed to conduct a Sunday tutorial on wireless security
for users of "public" wireless networks?

Although I think it is a mistake to think a wireless network security
is different than using any other network you don't control. Most
wireless security tutorials tend to concentrate on "securing" the
wireless network instead of how to communicate over an untrusted
network.

In fact, why not make the tutorial oriented towards operators, and be one of designing and providing service for mobile users (no matter what media are used)?

In reality, most or all of the "service" that results is run on the end-points, but ISPs can help greatly by providing documentation and, sometimes, software to support this. They also can learn what mechanisms provide real security and what mechanisms do not.

d/

Based on information at MERIT's website, its tolate to submit
a resentation. In addition such presentations must be finalized
and the slides approved by Merit no later than 30-Sep.

Its important to note that the second requirement isn't publicly
stated. I did receive email from Dr. Harris, that my two approved
presentations

Flotsam and Jetsam of the Net, a study at junk on the net.

and

IANA Running a IRR for IANA-Reserved space
  (a presentation supported by the IANA)

have now been canceled because of this unknown 30-Sep requirement.

I've appealed to Dr. Harris's management on the issue. They
should have published the schedules better. I should know more
soon.

Merit handles NANOG meetings, like it handles network security.

Having been a past host of 2 NANOG's

I would state the following:

1. There should be CLEARLY POSTED SIGNS that state this is a
conference network, access is permitted only to registered
attendee's, and that all traffic on this network is subject
to monitoring.

2. The wireless or wired networks do not need additional layers
of security. Is it the "show net's" responsiblilty to PROTECT
YOUR DATA. I think not. If you have data you do not want others
to see, then LOCK YOUR MACHINE DOWN.

    I've forgotten to turn off OS features that shouldn't be on
at a show net, so have other "famous, clued and well respected
people on this list".

    I now run tunnels for all external communications, including
IM's and chat programs. (Trillian has blowfish for ICQ as an example)

3. The NANOG show.net isn't a "production network"

4. MERIT SHOULD ALLOW Randy to post his password list. Its comical
at times, and helps re-enforce the need for security on mobile machines.

Manditory security practices are good for a "production network" I don't
consider NANOG networks "production" They are short lived, ad-hoc
nets provided as a convience to the attendees and as a way to stream
data to those that can't attend.

If you want security, then unplug.

NANOG is operated by non-operational people, its quality has suffered because
of that.

john brown

Use VPN technology, Use 802.11a/b as the media and nothing else.
Encrypte Tunnel your connections.

prudent users don't get hacked. non-prudent users hopefully learn
or darwin happens.

Really? Care to list the bulletproof hardware and software these god-like
creatures use, rather than the bug-ridden stuff we lesser folk have to
make due with?

Randy Bush wrote:

but it adds annoyance for the intended users. in the case of non-
techs, considerable annoyance. and it gives negligible privacy.

(sigh)

Randy has the best of intentions. But I'm tired of the old saw that
security adds annoyance. I long ago gave up on a WG at the IETF when
the members wanted to add security, but with *NO* configuration.

Sorry, any security requires a *SECRET*.

I will agree that the security in WEP is almost useless, and have
personally campaigned to change it for years. But, it is still the only
Access Control widely available. So, it should be used, in addition to
the better methods.

"John M. Brown" wrote:

>
> a prudent user does not ssh _from_ a machine they don't control or

prudent users don't get hacked. non-prudent users hopefully learn
or darwin happens.

Ahem! I'm usually considered a prudent user (once upon a time, I was
the _only_ person using IPSec at an IETF meeting, having written it myself, and communicating with just about the earliest commercial
implementation by Morningstar). ADmittedly, that was from my own
laptop, and I've never understood why we had public machines.....

However, I've had machines taken over this past summer through the
OpenSSH hole. A couple of years back, I had a router taken over through
a Cisco hole.

You're only as good as your software. And we all rely on each other.

That's worth remembering: the Internet still relies on cooperation,
between the vendors, and between the operators!

Meanwhile, I think Randy and John are both moving in the right direction
and I'm sure we'll all call Merit tomorrow to ask what in the world they
are thinking....

Same bug-ridden stuff, just better understanding, staying up with
patches, and understanding the human engineering side of things.

so maybe my absolute statement should have been..

s/prudent users don't get hacked/prudent users get hacked much less often

> but it adds annoyance for the intended users. in the case of non-
> techs, considerable annoyance. and it gives negligible privacy.

Randy has the best of intentions. But I'm tired of the old saw that
security adds annoyance. I long ago gave up on a WG at the IETF when
the members wanted to add security, but with *NO* configuration.

Well, if that's a possibility, then it sounds like the way to go.

Sorry, any security requires a *SECRET*.

No way. If you have to depend on some information to remain secret in
order to reach your security goals, you can start counting down until your
security is breached because it will happen each and every time.
Confidentiality in itself is only one goal.

I will agree that the security in WEP is almost useless, and have
personally campaigned to change it for years. But, it is still the only
Access Control widely available. So, it should be used, in addition to
the better methods.

In this particular instance, the gain is incredibly small (you only keep
out non-participants for 15 minutes or so) and the annoyance is rather
large. Also, if you use WEP people may be under the misguided impression
their data isn't completely open to public scruteny.

If you really want the wireless network at a convention to be safe, simply
filter all clear-text protocols. That is much more inconvenient than
having to find the right WEP key, but at least it really helps.

a prudent user does not ssh _from_ a machine they don't control or

prudent users don't get hacked.

as easily

Access control should be used when you need access control. Sometimes
engineers need to step back from solving the problem, and look at whether
the problem needs to be solved.

What access control do you need for a public drinking fountain?

What access control do you need for a public wireless access point?

WEP won't keep people from hacking other laptops at Nanog meetings, and
won't stop people from sniffing plain-text passwords. Everyone at the
meeting will have the key, and a secret shared with 500 people won't stay
secret for even two days. For a network with no other access control,
what purpose does WEP serve?

Access control should be used when you need access control. Sometimes
engineers need to step back from solving the problem, and look at whether
the problem needs to be solved.

Yes...

What access control do you need for a public drinking fountain?

Today, none, that was different in recent past.

What access control do you need for a public wireless access point?

Depends on the network. If you are a provider of public wireless for
a fee, then you want to make sure you can charge the user. Thus you need
to beable to identify the user so you can charge them. You need to also
prevent theft of service, via false id's or bypassing the id method, etc.

For events like a NANOG, et al, given the large number of "different
and ad-hoc" systems, identificaion is more a pain. It needs to be balanced
between the "cost, hassle factor" and the life of the network.

I'd say that mostly this is a rat hole thread.

Short lived conference networks will be insecure. Those attending should
be told, and expect it. They should prepare accordingly.

Show ops should have plans incase someone steals bandwidth, or causes
other problems with the "important show net stuff" like multicast feeds.

The cost and management requirements to deploy a reasonably secured network
for a show are higher than the benifits....

I don't see conferences giving out USB dongles to people with their ID
stored, or SecureID cards anytime soon

WEP won't keep people from hacking other laptops at Nanog meetings, and
won't stop people from sniffing plain-text passwords. Everyone at the
meeting will have the key, and a secret shared with 500 people won't stay
secret for even two days. For a network with no other access control,
what purpose does WEP serve?

As long as we are all on a shared layer two network, we are vulnerable.

john brown

Using a supposed security mechanism that is known to be essentially useless does nothing but lull people into a false sense of security.

d/

That will give people a false sense of security. Wouldn't it be better to use an approach like NetReg to give every user a warning when they first connect to the network? That doesn't require any arcane software config and would give an accurate indication of how secure the network is.

Chris

The only thing security really requires is *trust*. Secret keys won't do
any good if the platform is compromised. Elaborate protections are
useless if people who are allowed access are untruthworthy.

No matter what you do it always boils down to trustworthiness of the
physical implementations and people. Technological tricks simply modify
the communication space by shifting vulnerable points around. This is
often useful, but by no means can eliminate the need for inherently
trusted devices and people at the end points.

--vadim

PS. As a side note - the "shocking" discovery that ObL's guys didn't
    really use steganography and other modern tricks much and still have
    world-wide network which is very hard to compromise or penetrate
    (all those montains of cool high-tech gagetry NSA has, notwithstanding)
    is a good illustration: they rely on the "first principle" of building
    trusted systems - i.e. building the network of personal loyalties and
    face-to-face communications, instead of fooling with techno fixes.

PPS. I'm really really amazed at how people can consider any opaque system
    truthworthy. Most computer users naively trust their secrets to
    effectively every one of thousands of Microsoft engineers who can
    easily plant trapdoors. The same goes for trusting Intel. How hard
    it is for a CPU designer to plant an obscure bug causing switch to a
    privileged mode? It is hard _not_ to create trapdoors like that by
    mistake, even in much simpler designs (check the 30-year old report on
    Multics security).

>... But, it is still the only
>Access Control widely available. So, it should be used, in addition to
>the better methods.

Using a supposed security mechanism that is known to be essentially useless
does nothing but lull people into a false sense of security.

Rubbish.

There are only two or three types of locks that cannot be picked from the
outside by a lockpicker within 10-15 minutes. None of those locks is on your
outside door. Why do you bother to lock your house?

There is only one class of door designs that cannot be broken through in
10-15 minutes. None of the doors of that class is in your house. Why do you
have a door on your house?

Alex

Rubbish.

There are only two or three types of locks that cannot be picked from the
outside by a lockpicker within 10-15 minutes. None of those locks is on your
outside door. Why do you bother to lock your house?

But in the case of public WLAN, who is the one that you�re trying
to keep out? You don�t give the keys to your house to 500 people so
your analogy sucks.

Pete