Brecht or a forum to discuss about the forum

A place for comments and questions on the NCI forums and web site.
Loris Talon

Brecht or a forum to discuss about the forum

Post by Loris Talon » Sun Sep 27, 2009 9:16 am

As all you know I did some comments about how this forum works. In particular, I noticed that it was possible to steal the identity of an LO just by creating accounts with the same name of unregistered people.
Well I was too much optimistic.
The situation is much worse.
Apparently the registration form requires the SL full name, apparently.
But who are: Lethe, Nardok, Afon, Max_Kleiber, blu_laszlo, TaliaR, airmid.morgwain, PeaceSmythe, Gideon, Administrator?
Well their names share a vague similarity with actual names in LH group, but who says they are the same?
I wondered how the accepting procedure works, in particular I didn't receive any IM from Lethe asking me if it was me asking to join this group.
So there are two cases:
1. this group is open to anybody but that complicated joining procedure and the waiting time is useless
2. this group is restricted but we need a serious registration and joining procedure

I'm sorry if it looks like i wanted to break your wonderful toy, but I live in a country that has the most advanced law on privacy, I wish that my personal data, my email address and my password are kept safe. I wish that my identity cannot be stolen, by poorly designed software, the recent banlink case haven't taught anything?
I had to change all my passwords because i felt unsafe.

PS. Forum is a place to discuss things, so why, Lethe, are you asking us to address issues to you. No, i want to discuss them, because i like to discuss and listen to different opinions, They taught me that Security by Obscurity doesn't work well.
Forum is a place of peers where criticism is welcome, different views and opinions meet or clash.

Quite Oh
NCI Officer
Posts: 180
Joined: Sun Aug 30, 2009 11:21 pm
Location: Canada

Re: Brecht or a forum to discuss about the forum

Post by Quite Oh » Sun Sep 27, 2009 10:18 am

Loris Talon wrote:As all you know I did some comments about how this forum works. In particular, I noticed that it was possible to steal the identity of an LO just by creating accounts with the same name of unregistered people.
First, Loris, you cannot "steal the identity of an LO". You can, however use their name. Let's be accurate at least.
Loris Talon wrote:PS. Forum is a place to discuss things, so why, Lethe, are you asking us to address issues to you. No, i want to discuss them, because i like to discuss and listen to different opinions, They taught me that Security by Obscurity doesn't work well.
Forum is a place of peers where criticism is welcome, different views and opinions meet or clash.
It is perfectly acceptable to bring it up in a public forum once the person in charge of the project has had a chance to review it. Why go to Lethe? Because it's her job! In a restaurant do you scream to the other patrons that there's no food on your plate, or do you speak to the waitress? It's an evident answer.

If you have questions about security, bring them on, you'll find few people are jealously guarded about their personal privacy as I am, Loris, so I'm all for hammering the system, but if you find a bug, or what you *think* is a breach of security, discuss with the person in charge of the project. Then after a reasonable period of time, if they don't respond, escalate then finally reveal.

In my eyes, this is simple good sense.

PS: NCI is a helper organisation. Instead of posting to the public that the sky is falling, let's use those skills among ourselves and collaborate toward a solution.

Afon
NCI Officer
Posts: 154
Joined: Sun Aug 30, 2009 5:18 pm

Re: Brecht or a forum to discuss about the forum

Post by Afon » Sun Sep 27, 2009 12:06 pm

This forum is open to any sentient beings who may be interested in NCI and getting involved in NCI. Its not open to non sentient spambots that trawl the internet looking for open forums to dump their spam into. Thats why there is a 'complicated' registration procedure. I think all forums employ the similar techniques to try to keep the spambots out.

A few of us joined the forum before the request to use your SL name was made. Using your SL name is simply a courtesy so that the posters can more easily be recognised. I think if you wanted to post anonymously, you can register with an arbitrary name, but my view is that we each should be man (or woman) enough to stand up for our views. I suppose that I was being a bit egotistical thinking that using Afon was sufficient to identify me, I'll ask Lethe to change my account to my full name.

I think Lethe (and the rest of us) are open to constructive criticism, that's how things improve, and that's one of the purposes of this forum (and I'll listen and consider any well reasoned crits no matter whether I can identify the poster or not).
Any sufficiently advanced information is indistinguishable from noise.

PeaceSmythe
NCI Officer
Posts: 369
Joined: Mon Aug 31, 2009 10:55 pm
Location: Nomad

Re: Brecht or a forum to discuss about the forum

Post by PeaceSmythe » Sun Sep 27, 2009 12:59 pm

On the positive side, I thought I was using my full name. Having spaces in a user id isn't a safe assumption.

On the negative, if the logon process is transmitting the password in clear text, I am _highly_ disturbed.
--Peace

Afon
NCI Officer
Posts: 154
Joined: Sun Aug 30, 2009 5:18 pm

Re: Brecht or a forum to discuss about the forum

Post by Afon » Sun Sep 27, 2009 1:13 pm

I think quite a few services send the password in cleartext if you lose your password. The password sent should be treated as a 'one time password' and changed immdiatly.
Any sufficiently advanced information is indistinguishable from noise.

Loris Talon

Re: Brecht or a forum to discuss about the forum

Post by Loris Talon » Sun Sep 27, 2009 2:03 pm

PeaceSmythe wrote:On the positive side, I thought I was using my full name. Having spaces in a user id isn't a safe assumption.

On the negative, if the logon process is transmitting the password in clear text, I am _highly_ disturbed.
I sniifed with Wireshark the packets from my PC to the forum, in particular here is the logon request (I obscured my password with stars):
As you can see in the body of the http request (not https) the password is in cleartext.

POST /forum/ucp.php?mode=login HTTP/1.1
Host: nci-sl.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; it; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://nci-sl.org/forum/ucp.php?mode=login
Cookie: sdsessionid=1fabcb366fa031ffd01d1892101e20ce; phpbb3_1ilfc_u=1; phpbb3_1ilfc_k=; phpbb3_1ilfc_sid=d5d728fa6ef2d4661850426ba3abe6db
Content-Type: application/x-www-form-urlencoded
Content-Length: 107

username=Loris+Talon&password=********&redirect=index.php&sid=d5d728fa6ef2d4661850426ba3abe6db&login=Login

User avatar
Lethe
badministrator
Posts: 92
Joined: Sun Aug 30, 2009 4:02 am
Location: Bumming around Kuula
Contact:

Re: Brecht or a forum to discuss about the forum

Post by Lethe » Sun Sep 27, 2009 5:19 pm

Okay, I am going to go through everything here bit by bit. A lot of it has already been answered, but I'm going to go through those points as well.

First, on the topic of names.
The line in registration about using your second life name, first and last, was stuck in there by me. The purpose of that guideline was to prevent problems down the line, if more than one person with the same first name joined the forums. It is, at the moment, not a hardcoded rule. The system does not look for two words separated by a space. I have decided not to actively change user's names to fit the firstname lastname guideline unless we've talked about it inworld.

I did this because it was the best use of my time at the moment, this will be a common theme in this post. There may be a time I go back and enforce naming rules, but it is not right now.

On the topic of forum groups.

The procedure for joining forum groups is this: The user applies for the group, say the Land Officer group. On a regular basis, I check a list generated for me of people who have applied to join the forum group. I go name by name, checking for membership in a LO group. I approve the person for the group, the forum sends an email to the user stating they've been approved. I may start IMing people inworld when they apply for the LO group, but I haven't been so far.

On the topic of registration.

Anyone is welcome to join the forums. The process is fairly painless, and necessary to prevent bots and spam from clogging up the forums. Prevention of bot registration is the purpose of the captcha, and if you have problems with it I am happy to help you. I have already helped at least one user, and I really believe that technology is useless if everyone can't use it. However, there will never be guest (no login) posting, that is simply not a good option for us.

On the topic of forum security.
The forums do transmit your password in plaintext when logging in. However, I do not feel this is a meaningful security issue for several reasons:

First: In order to intercept that password in transit to the forums, somebody would need to compromise a router between your computer and the forums. So either somebody has already compromised your local router, or somebody has compromised a secure router along the route. In either of these cases, people have far bigger problems than a forum password. Many passwords are sent either plaintext or just in base64, somebody breaking into a router would have all kinds of interesting information (for better or worse).

Passwords in the NCI system are stored in a secure database using md5 encryption.

Second: If, by any means, an NCI forum account were compromised, what would be the gain? The only gains for the person who compromised the account would be the ability to post as the compromised account and the password of the compromised account. If you see posts on the forum that you have not made, simply let me know and I'll do my best to fix the situation. As for the password, it is always a good idea to use separate passwords for different systems, so if one password is learned it won't also work for your SL account (or worse, your bank account). This is common sense personal web security, and it is pretty much absolute protection for you in the event that any password is revealed.

Third: This is the behavior for all phpbb forums. The solution to this issue would be to purchase a security certificate and use an https connection. At this point, given the previous points, that money and time is better spent elsewhere. In your travels around the web, you may have noticed secure connections for things such as online banking and commerce, or confidential or harmful information. This is not an issue for us because...

Fourth: This is a public forum. I encourage you to never do anything that makes you uncomfortable. If that means not posting certain information, that is your right. We only require a username, password, and email address. If you feel uncomfortable using the forums, you have every right not to use them. That is your choice, and I understand.


Finally, on the topic of me.

First: I encourage feedback. I encourage public feedback. I moved this thread from the land officers subforum to the forum questions and feedback subforum because this subforum is visible to all. When I ask that you address concerns to me, it is not an issue of security through obscurity or sweeping mistakes under the rug. It is simply a matter of getting information to the person who can make use of it as quickly as possible. Loris, you sent a group notice without even attempting to contact me first, that is the main problem I had with what happened. If somebody contacts me with a problem that should be discussed, I'll work with that person to make sure the discussion happens. I am more than happy to explain why I do the things I do, and why I make the choices I make. I am more than happy to explain those things publicly. But I consider it simple courtesy to ask me personally for those explanations rather than demand or simply plow ahead with your theory of why I did something.

Second: On the use of my time. I've said a couple of time now that certain things aren't worth the time I'd spend on them. This is not apathy or disrespect for the person suggesting changes. Even ignoring the fact that I never have as much time to devote to NCI as I would like, I am very much hard at work on tools and systems for NCI. Some of these tools are for specific purposes or members and may not be immediately obvious to everyone. I give you my word that when I say there are better uses of my time, it is because there are many things on my to-do list which clamor to be done (perfectly) yesterday. I understand that some solutions may seem simple and easy, but this is often not the case. However, I never want to give the appearance I'm brushing you off, and I do return to things that I have previously stated are not worth my time at the moment.

In general, I just ask for some basic courtesy and the benefit of the doubt. I will always offer the same to you.

-Lethe

Blu Laszlo
NCI Officer
Posts: 109
Joined: Sun Aug 30, 2009 11:06 pm

Re: Brecht or a forum to discuss about the forum

Post by Blu Laszlo » Mon Sep 28, 2009 8:45 pm

1. The only possible personal information that can be compromised is an email address. If worried, just make a new yahoo or gmail e-mail address specifically for this purpose.

2.One should always use different passwords for different applications. In the unlikely event that the forum password is compromised with advanced packet snifters, then the only damage is that the "hacker" can post messages in your name; and these can easily be deleted.

3. Anyone can register with a false name (here and elsewhere on the Internet) and this is not a problem that is unique to this forum. In the best of all worlds, we should be able to link our ogin credentials with that of SL, but I do not see this happen easily.

4. One can easily deal with the issue of specific group membership by an in-world IM verification process (e.g. "Lethe, I just applied to be in the Officer's group, can you please approve?").

These forums are as safe as any other on the Internet. I would like to see that packet snifter catch my password.....
Last edited by Blu Laszlo on Thu Oct 01, 2009 4:23 am, edited 1 time in total.
Blu Laszlo

Quite Oh
NCI Officer
Posts: 180
Joined: Sun Aug 30, 2009 11:21 pm
Location: Canada

Re: Brecht or a forum to discuss about the forum

Post by Quite Oh » Thu Oct 01, 2009 1:36 am

I'd like to put this to bed for Loris (since it came up again).

Let us address all of your points, one by one. This will repeat some of the previously mentioned answer, but I want it to the comprehensive nail in the coffin of this issue.
Loris Talon wrote:As all you know I did some comments about how this forum works.
These are the comments that you posted to the LH group. LH = Land Holdings. Used for discussion among those in the group: In this group are Land officers, Tier donors and even Lindens.
Loris Talon wrote: NCI Forum Registration Considered Harmful
---------------------------------------------------------
I have some considerations about the safety of the forum registration procedure and the Land Officer group joining.

To show that it is unsafe, I hacked it.

I registered an LO (not me of course) to the forum, then I joined the LO group and my faked request is pending.

I did it for only one LO but she is my friend, she knows I did it, she agreed with me to do this test.
Creating a faked member is easy and I can do the same for all of the not yet registered LOs

The weakpoint of this procedure is that the SL name is required to register, but we cannot verify that identity.

I would prefer something as safe as the SL LO group.
Here are two solutions:

1. Make forum members from the SL group list in a programmatic way.

2. Send a notice to all LOs in the LH group, that notice contains a link to join the forum and the lo group in the forum

Loris Talon

PS. Why password are transmitted in cleartext and not in an https request?
Let us start with some fundamentals. You have made to me the claim that your profession is that of a security expert. OK, I'll accept that as granted. If that indeed the case, you should be able to make a clear, logical, non-emotive, professional analysis of the situation. You will also be expected to use the correct terminology, since, as a professional you know enough to make clear distinctions and have any number of translation tools, and professional resources at your disposal. If I've misunderstood you, then hopefully this post will help clarify some issues.

First, let us address the title that of the note card that you sent to the LH group without actually have spoken to the individual who is in charge of web services security was "NCI Forum Registration Considered Harmful".

"Forum registration" is a process, not a thing. It cannot "cause harm".
"Considered" by whome, using what criteria?
"Harmful" is non-accurate. The word "harm" means the causing of injury or damage.

In a direct communication with Lethe, your subject, in order to be accurate should have read: "Loris Talon has a concern over forum registration and login processes.

Loris Talon wrote:In particular, I noticed that it was possible to steal the identity of an LO just by creating accounts with the same name of unregistered people.
You "noticed" that it is "possible" to "steal" the "identity" of an LO by creating an account using a name.

You did not "notice", you tested if it was possible to register using a name. The registration process was evidently successful. Congratulations! The system worked without a hitch!

Possible? Here is where you make your biggest error in logic. Possibility is not inevitability. It is POSSIBLE that the US government will fly a troupe of secret navy SEALs to your home, break though the walls with a tank physically apprehend you and disappear you into a secret prison somewhere across the world. It's "possible". What you have failed to mention is the likelihood, more specifically known as the level of risk; that is, you have failed to back up your claims with accurate assesement and measures of risks.

"steal". To steal means to remove (or take control) from another without consent or authorisation. If someone registers with the name "Quite Oh", they have not stolen my identity. They have used my second life name on a forum. They cannot access my personal computer, my email, make credit cards in my name, etc. The very most they could do would be to post something using this string of characters, and, if Lethe authorized said individual, to read different forums.

"identity". Now here is where it gets interesting. As a security professional, you are without a doubt aware that what you are talking about is known as the authentication process. To authenticate means to verify to a high level of certainly that you are who you claim to be.

You are right, at the moment the authentication measures are neither extensive, nor instant.

Now we get to the crux of the matter: As a security expert, you will be intimately familiar with these two fundamental security axioms.

- The importance of security is directly tied to the value that someone places on something.

- Security and convenience are at opposite ends of the scale. More security = less convenience. More convenience = less security.
Loris Talon wrote:To show that it is unsafe, I hacked it.
You did not. You succesfully registered a name--and with permission to boot!. You expected SL authentication that never was promised and claim that it's a "hack", that is, you claimed to have cirumvented authentication or authorization (permission) measures and mechanisms. This given authentication method did not exist in any programatic way. Can't hack what is not there. What is disturbing about this, however is your choice of incidiary and tabloid like language that misrepresents realtity. I would think that as an LO that you'd be more inclined to fact check and collaborate with team members first.

Loris Talon wrote:So there are two cases:
1. this group is open to anybody but that complicated joining procedure and the waiting time is useless
2. this group is restricted but we need a serious registration and joining procedure
See my previous reply.

You can't have it both ways, Loris. Your above argument relies on the logical fallacy known as the argument of the excluded middle. The argument that only one extreme, or the other may be true, while omitting the usually more practical and reality grounded truth and facts. The simple fact is that you can ensure a more than sufficient degree of security for a small amount of upfront effort in registering, and the occasional (if you so desire) changing of passwords.

If you want more ease and security, *someone* has to put in the time and energy. We could technically force this system to tie into Linden Lab's age verification system and cross check with private investigators to actually ascertain to a high degree of certainly that the person authenticating is actually the live human who also drives the AV with the same name. Other than being an absurdly obvious waste of time, energy and money, it would be a breach of your personal privacy :)

I have heard you complain that it is a nuisance to access the forums, and also complain that they are insecure. The only way to make it MORE convenient and MORE secure is to have someone do some more coding. I have specifically asked you if you would volunteer to help. You have outright refused. That leaves Lethe to do it. She is a human being, with a life, enjoying second life as a VOLUNTEER as we all are. Frankly, I think she's done a magnificent job of putting this together. For years now we've not had a fully up kept system. Now we do. I think that you personally, Loris, should send Lethe a personal thank you note for the hard work she's done for us. If you are not happy with the hard work she's done, and wish only to complain that it doesn’t meet your hypothetical dreams of bullet proof security for a public web forum, then I'm not sure what to suggest to you.

Loris Talon wrote:I'm sorry if it looks like i wanted to break your wonderful toy, but I live in a country that has the most advanced law on privacy, I wish that my personal data, my email address and my password are kept safe.
And like you, I share that same (if not more) concern over security. However, remember, Loris: YOU are responsible for your own security. Not NCI. Not the bank. Not your government.

As a security expert I'm sure you've already taken these precautions:

1) You have created an anonymous email account
2) You have generated a strong, multi-character random password to access said account
3) You regularly change its password
4) You have used a different strong, multi-character random password for the forums
5) You have used said anonymous email account as its authentication mechanism.
6) You regularly change its password

Given the amount of time, resources, finances, energy available in relation to the context, and your own good common sense and excellent security habits I'm convinced that for this point in time that we are more than adequately secure. And as time goes on, and we get more done altogether, and time and energy and resources free up, I can see that we'll continue to impove on it.

Loris Talon wrote:I wish that my identity cannot be stolen, by poorly designed software, the recent banlink case haven't taught anything? I had to change all my passwords because i felt unsafe.
You appear to be mistaking the design of the software with the installation of software. The two have very little to do with each other. I find the software well designed for NCI’s purposes. In fact, as an open source project, PhpBB gets a lot of fresh eyes who are just as security conscious as we are pouring over it. Just because something doesn't match your initial expectations, however, does NOT make it poorly designed or implemented, or installed. It only means that it has not matched your expectations. And so far, based on all that you have expressed so far, in notecards, open chat, group chat and now on the forums, I'm not convinced that you have thought through your expectations in a critical and pragmatic manner.

On banlink: Banlink’s databases were accessed via the specific method known as SQL injection. It’s my understanding that PHPBB, the software upon which these forums are based has handled these issues as to the version that we are using.

Loris Talon wrote:PS. Forum is a place to discuss things, so why, Lethe, are you asking us to address issues to you. No, i want to discuss them, because i like to discuss and listen to different opinions
We have no problem that you discuss this openly, here on the forums. We, (I) do have an issue that you cow-boy post an inaccurate, alarmist, freak-out, the-sky-is-falling post in a communications channel whose purpose is not for general banter or opinion, but to discuss among those involved with Land Holdings. For a number of years now, people have been complaining that there's not enough communication going on. We offer a venue to create more communication and your post effectively shuts it down to a degree. I've had people tell me that they won't use the forums because of your freak-out note.

Loris Talon wrote:They taught me that Security by Obscurity doesn't work well. Forum is a place of peers where criticism is welcome, different views and opinions meet or clash.
The security implemented here is not obscure. You are asked to register! You are asked for a password. You are asked for an email address (that hopefully you have made secure). Nor are there "hidden flaws" that in are not dealt with because we think that people won't notice. The choices made were deilberate, pragmatic and considered to be appropriate for the given context. Again, you make claims that are unsupportable.

You know what works even less than "security though obscurity"? Not approaching the person who actually has the abilities to respond to your concerns directly. But on that topic, this is NOT an issue of security though obscurity. The systems are adequately secure for their level of value. My box of uncooked spaghetti is pretty important to me, I want to eat it one day, but I will not be secreting it away to a underground re-enforced safe in a bank in Zurich to protect it. Please return to our two fundamental security axioms

Loris Talon wrote:I sniifed with Wireshark the packets from my PC to the forum, in particular here is the logon request (I obscured my password with stars):
As you can see in the body of the http request (not https) the password is in cleartext.
Again, we return to CONTEXT. Your concern addresses the notion of the "man in the middle attack".

I can sniff my own password too; this does not require malicious genius to access that which I already have access to on my own personal network. You have either accessed it via your own personal network directly, or you have hacked your own network, which, if that is the case is a far more severe breach to your security than someone finding out a temporary password to a public forum that can send email to an anonymous email account.

If someone else where to be able to access your password or mine, then we’d have something to talk about, in which case the correct answer is not to run about in a panic, but to calmly approach the one in charge of web security, present the tests you've made in a reproducible manner, show her the results, and suggest specifics how it can be resolved.

I have saved a PM to myself with a string of characters. If you are capable of IMing me that string of characters, I will support your claim that there is a "breach" of security and will then work hand in hand with anyone needed to ensure that it is secure.

Everything is as secure as is reasonably necessary for the moment. It is not perfect in the sense that a dedicated team of people could in fact log on as Quite Oh, and post a nasty message, or read some of the stuff on non-open forums. But that is as far as they can get. IF such a team exists. Then all I'd have to do is point it out to Lethe, who could deal with it appropriatly. Now, if the issue is that of FEELING secure, you need to ask yourself what you are willing to do in order to increase your feelings of security. I see two options: 1) Be factual and critical in your thinking, and make reality based assements so that you have real facts to work with, then 2) volunteer to work alongside of us to improve the system so that it meets your own personal criteria for what would make you feel more secure.

In short, the sky is not falling, it's where it always has been: safely where it belongs. People can enjoy using these forums in a secure manner that will allow the to express themselves to the entirety of the NCI community, ask pointed questions, get honest answer and just generally keep connected.

Have fun using them!
Last edited by Quite Oh on Fri Oct 02, 2009 4:37 am, edited 13 times in total.

Afon
NCI Officer
Posts: 154
Joined: Sun Aug 30, 2009 5:18 pm

Re: Brecht or a forum to discuss about the forum

Post by Afon » Thu Oct 01, 2009 12:07 pm

I think Loris, and the others she has unnecessarily scared, will not be reading this as they won't be accessing the forum. Perhaps look to a method of posting this in-world?
Last edited by Afon on Thu Oct 01, 2009 5:30 pm, edited 1 time in total.
Any sufficiently advanced information is indistinguishable from noise.

Post Reply