[E-Lang] Java 2 "Security" (was: Re: Welcome Chris Skalkaand ScottSmith of Johns Hopkins)

hal@finney.org hal@finney.org
Sat, 20 Jan 2001 16:33:12 -0800

I just lurk on this list because I don't know the technology too well
(I don't even know what stack inspection/introspection is...)

But in the security business, vendors like to promote "two factor"
security.  That is, to get authorization you need "something you have"
plus "something you know".  Typically the thing you have is a token of
some sort like a smart card.  And the thing you know is a password.
You need both to get access to the system.

The idea is that it's hard for an attacker to get both of these away
from you.  You may have your token stolen or lose it due to carelessness,
but in these circumstances the attacker won't usually learn your password.
Or you may have your password snooped, but in that case the attacker is
unlikely to get your token.

A bare token would be something like a capability.  Is there a place in
the abstract capability world for the equivalent of a password?



Incidentally, I fell victim to an attack like this last Monday, when I
went to use my ATM card to withdraw money at a kiosk.  A guy was standing
by the machine saying it had eaten his card, but I went ahead and used
it anyway.  I wasn't too worried about it eating my card because I have
another one I use more anyway, and I thought it might have eaten his
card because there was something wrong with it.

So I put my card in and, sure enough, it ate it.  The machine failed to
even register that my card had been inserted and still said, please insert
your card.  Nothing I tried had any effect.  Then I noticed a little
typewritten note taped above the slot.  It said, if the ATM fails to eject
your card, enter your PIN three times and then hit cancel.  I tried this
and it didn't work, in fact it did not seem to even notice my keypresses.

After I left I belatedly became suspicious.  If the ATM was broken, would
they really put a note on it like that?  You might see something like
that on a coke machine, but not an ATM.  And in entering my PIN multiple
times, wasn't it possible that guy could have seen it?  I had asked him
why he was standing there and he said he was waiting for his girlfriend
to return, who had gone to cancel her card.  In retrospect this story
didn't make sense.  So when I got home I cancelled my ATM card.

I checked at the bank a couple of days later, and sure enough, someone
had tried to use my ATM card at the gas station across the street a few
minutes after I left.  Apparently someone had gimmicked the machine in
such a way that they could retrieve my card after I left, and they'd
put that note up to trick me into entering my PIN so that they could
see what it was.

"Something I have" plus "something I know" didn't work here.
The attackers learned both by fooling me.  No system is fool proof.
But a world in which ATM cards did not require PINs would obviously be
a lot worse.  The question is whether capabilities are similar enough
to ATM cards to benefit from similar second-factor authorizations.