I'd like to put this to bed for Loris (since it came up again).
Let us address all of your points, one by one. This will repeat some of the previously mentioned answer, but I want it to the comprehensive nail in the coffin of this issue.
Loris Talon wrote:As all you know I did some comments about how this forum works.
These are the comments that you posted to the LH group. LH = Land Holdings. Used for discussion among those in the group: In this group are Land officers, Tier donors and even Lindens.
Loris Talon wrote:
NCI Forum Registration Considered Harmful
---------------------------------------------------------
I have some considerations about the safety of the forum registration procedure and the Land Officer group joining.
To show that it is unsafe, I hacked it.
I registered an LO (not me of course) to the forum, then I joined the LO group and my faked request is pending.
I did it for only one LO but she is my friend, she knows I did it, she agreed with me to do this test.
Creating a faked member is easy and I can do the same for all of the not yet registered LOs
The weakpoint of this procedure is that the SL name is required to register, but we cannot verify that identity.
I would prefer something as safe as the SL LO group.
Here are two solutions:
1. Make forum members from the SL group list in a programmatic way.
2. Send a notice to all LOs in the LH group, that notice contains a link to join the forum and the lo group in the forum
Loris Talon
PS. Why password are transmitted in cleartext and not in an https request?
Let us start with some fundamentals. You have made to me the claim that your profession is that of a security expert. OK, I'll accept that as granted. If that indeed the case, you should be able to make a clear, logical, non-emotive, professional analysis of the situation. You will also be expected to use the correct terminology, since, as a professional you know enough to make clear distinctions and have any number of translation tools, and professional resources at your disposal. If I've misunderstood you, then hopefully this post will help clarify some issues.
First, let us address the title that of the note card that you sent to the LH group without actually have spoken to the individual who is in charge of web services security was "NCI Forum Registration Considered Harmful".
"Forum registration" is a process, not a thing. It cannot "cause harm".
"Considered" by whome, using what criteria?
"Harmful" is non-accurate. The word "harm" means the causing of injury or damage.
In a direct communication with Lethe, your subject, in order to be accurate should have read: "Loris Talon has a concern over forum registration and login processes.
Loris Talon wrote:In particular, I noticed that it was possible to steal the identity of an LO just by creating accounts with the same name of unregistered people.
You "noticed" that it is "possible" to "steal" the "identity" of an LO by creating an account using a name.
You did not "notice", you tested if it was possible to register using a name. The registration process was evidently successful. Congratulations! The system worked without a hitch!
Possible? Here is where you make your biggest error in logic. Possibility is not inevitability. It is POSSIBLE that the US government will fly a troupe of secret navy SEALs to your home, break though the walls with a tank physically apprehend you and disappear you into a secret prison somewhere across the world. It's "possible". What you have failed to mention is the likelihood, more specifically known as the level of risk; that is, you have failed to back up your claims with accurate assesement and measures of risks.
"steal". To steal means to remove (or take control) from another without consent or authorisation. If someone registers with the name "Quite Oh", they have not stolen my identity. They have used my second life name on a forum. They cannot access my personal computer, my email, make credit cards in my name, etc. The very most they could do would be to post something using this string of characters, and, if Lethe authorized said individual, to read different forums.
"identity". Now here is where it gets interesting. As a security professional, you are without a doubt aware that what you are talking about is known as the
authentication process. To authenticate means to verify to a high level of certainly that you are who you claim to be.
You are right, at the moment the authentication measures are neither extensive, nor instant.
Now we get to the crux of the matter: As a security expert, you will be intimately familiar with these two fundamental security axioms.
- The importance of security is directly tied to the value that someone places on something.
- Security and convenience are at opposite ends of the scale. More security = less convenience. More convenience = less security.
Loris Talon wrote:To show that it is unsafe, I hacked it.
You did not. You succesfully registered a name--and with permission to boot!. You expected SL authentication that never was promised and claim that it's a "hack", that is, you claimed to have cirumvented authentication or authorization (permission) measures and mechanisms. This given authentication method did not exist in any programatic way. Can't hack what is not there. What is disturbing about this, however is your choice of incidiary and tabloid like language that misrepresents realtity. I would think that as an LO that you'd be more inclined to fact check and collaborate with team members first.
Loris Talon wrote:So there are two cases:
1. this group is open to anybody but that complicated joining procedure and the waiting time is useless
2. this group is restricted but we need a serious registration and joining procedure
See my previous reply.
You can't have it both ways, Loris. Your above argument relies on the logical fallacy known as the
argument of the excluded middle. The argument that only one extreme, or the other may be true, while omitting the usually more practical and reality grounded truth and facts. The simple fact is that you can ensure a more than sufficient degree of security for a small amount of upfront effort in registering, and the occasional (if you so desire) changing of passwords.
If you want more ease and security, *someone* has to put in the time and energy. We could technically force this system to tie into Linden Lab's age verification system and cross check with private investigators to actually ascertain to a high degree of certainly that the person authenticating is actually the live human who also drives the AV with the same name. Other than being an absurdly obvious waste of time, energy and money, it would be a breach of your personal privacy
I have heard you complain that it is a nuisance to access the forums, and also complain that they are insecure. The only way to make it MORE convenient and MORE secure is to have someone do some more coding. I have specifically asked you if you would volunteer to help. You have outright refused. That leaves Lethe to do it. She is a human being, with a life, enjoying second life as a VOLUNTEER as we all are. Frankly, I think she's done a magnificent job of putting this together. For years now we've not had a fully up kept system. Now we do. I think that you personally, Loris, should send Lethe a personal thank you note for the hard work she's done for us. If you are not happy with the hard work she's done, and wish only to complain that it doesn’t meet your hypothetical dreams of bullet proof security for a public web forum, then I'm not sure what to suggest to you.
Loris Talon wrote:I'm sorry if it looks like i wanted to break your wonderful toy, but I live in a country that has the most advanced law on privacy, I wish that my personal data, my email address and my password are kept safe.
And like you, I share that same (if not more) concern over security. However, remember, Loris: YOU are responsible for your own security. Not NCI. Not the bank. Not your government.
As a security expert I'm sure you've already taken these precautions:
1) You have created an anonymous email account
2) You have
generated a strong, multi-character random password to access said account
3) You regularly change its password
4) You have used a different strong, multi-character random password for the forums
5) You have used said anonymous email account as its authentication mechanism.
6) You regularly change its password
Given the amount of time, resources, finances, energy available in relation to the context, and your own good common sense and excellent security habits I'm convinced that for this point in time that we are more than adequately secure. And as time goes on, and we get more done altogether, and time and energy and resources free up, I can see that we'll continue to impove on it.
Loris Talon wrote:I wish that my identity cannot be stolen, by poorly designed software, the recent banlink case haven't taught anything? I had to change all my passwords because i felt unsafe.
You appear to be mistaking the design of the software with the installation of software. The two have very little to do with each other. I find the software well designed for NCI’s purposes. In fact, as an open source project, PhpBB gets a lot of fresh eyes who are just as security conscious as we are pouring over it. Just because something doesn't match
your initial expectations, however, does NOT make it poorly designed or implemented, or installed. It only means that it has not matched your expectations. And so far, based on all that you have expressed so far, in notecards, open chat, group chat and now on the forums, I'm not convinced that you have thought through your expectations in a critical and pragmatic manner.
On banlink: Banlink’s databases were accessed via the specific method known as SQL injection. It’s my understanding that PHPBB, the software upon which these forums are based has handled these issues as to the version that we are using.
Loris Talon wrote:PS. Forum is a place to discuss things, so why, Lethe, are you asking us to address issues to you. No, i want to discuss them, because i like to discuss and listen to different opinions
We have no problem that you discuss this openly, here on the forums. We, (I) do have an issue that you cow-boy post an inaccurate, alarmist, freak-out, the-sky-is-falling post in a communications channel whose purpose is not for general banter or opinion, but to discuss among those involved with Land Holdings. For a number of years now, people have been complaining that there's not enough communication going on. We offer a venue to create more communication and your post effectively shuts it down to a degree. I've had people tell me that they won't use the forums because of your freak-out note.
Loris Talon wrote:They taught me that Security by Obscurity doesn't work well. Forum is a place of peers where criticism is welcome, different views and opinions meet or clash.
The security implemented here is not obscure. You are asked to register! You are asked for a password. You are asked for an email address (that hopefully you have made secure). Nor are there "hidden flaws" that in are not dealt with because we think that people won't notice. The choices made were deilberate, pragmatic and considered to be appropriate for the given context. Again, you make claims that are unsupportable.
You know what works even less than "security though obscurity"? Not approaching the person who actually has the abilities to respond to your concerns directly. But on that topic, this is NOT an issue of security though obscurity. The systems are adequately secure for their level of value. My box of uncooked spaghetti is pretty important to me, I want to eat it one day, but I will not be secreting it away to a underground re-enforced safe in a bank in Zurich to protect it. Please return to our two fundamental security axioms
Loris Talon wrote:I sniifed with Wireshark the packets from my PC to the forum, in particular here is the logon request (I obscured my password with stars):
As you can see in the body of the http request (not https) the password is in cleartext.
Again, we return to CONTEXT. Your concern addresses the notion of the "man in the middle attack".
I can sniff my own password too; this does not require malicious genius to access that which I already have access to on my own personal network. You have either accessed it via your own personal network directly, or you have hacked your own network, which, if that is the case is a far more severe breach to your security than someone finding out a temporary password to a public forum that can send email to an anonymous email account.
If someone else where to be able to access your password or mine, then we’d have something to talk about, in which case the correct answer is not to run about in a panic, but to calmly approach the one in charge of web security, present the tests you've made in a reproducible manner, show her the results, and suggest specifics how it can be resolved.
I have saved a PM to myself with a string of characters. If you are capable of IMing me that string of characters, I will support your claim that there is a "breach" of security and will then work hand in hand with anyone needed to ensure that it is secure.
Everything is as secure as is reasonably necessary for the moment. It is not perfect in the sense that a dedicated team of people could in fact log on as Quite Oh, and post a nasty message, or read some of the stuff on non-open forums. But that is as far as they can get. IF such a team exists. Then all I'd have to do is point it out to Lethe, who could deal with it appropriatly. Now, if the issue is that of FEELING secure, you need to ask yourself what you are willing to do in order to increase your feelings of security. I see two options: 1) Be factual and critical in your thinking, and make reality based assements so that you have real facts to work with, then 2) volunteer to work alongside of us to improve the system so that it meets your own personal criteria for what would make you feel more secure.
In short, the sky is not falling, it's where it always has been: safely where it belongs. People can enjoy using these forums in a secure manner that will allow the to express themselves to the entirety of the NCI community, ask pointed questions, get honest answer and just generally keep connected.
Have fun using them!