info-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVS access control


From: Tobias Brox
Subject: Re: CVS access control
Date: Fri, 28 Sep 2001 23:32:55 +0400
User-agent: Mutt/1.0.1i

[Greg A. Woods - Thu at 03:44:52PM -0400]
> Not to mention almost no real authentication of the client user in the
> first place....

First they send this really fancy toy - a pocket device creating one-time
codes, in the mail.  It arrives in an unlocked mailbox, and it's handed over
by some mailman that could steal the letter without any trace.  To be sure
nothing bad happens, they send the PIN-code for the device in an ordinary
paper-letter two days before the device is sent.  I've seen numerous stupid
security flaws from almost all Norwegian banks, at least.  Security by
obscurity, all the way.  Quite often they're bragging about how secure
the main door is - while ignoring completely that back door is wide open.

This same bank having this "very secure" (it could be secure, but is not as
of today), fancy system with code-generators does also have a telephone
banking service.  Can you believe it, they use static 3-digits PIN-codes for
the telephone service?  This code is (of course) beemed completely
unencrypted over the telephone network!  Bills can be paid through the
service, no security at all.  But the most increadible thing ... it's
completely unbelievable: I got a letter (and same did most other customers
of the bank) complaining that their telephone banking service wasn't much
used - so to make it easy to use they had changed the PIN-code to one that
should be easy to remember for me.  The three first digits of my birth date!
It's so insanly stupid, I'm quite sure it must be the marketing manager
himself that decided it was a smart thing to do.

It took them a whole month to discover the mistake - they sent a new letter
urging people to change their codes (without stating any reason), and
informed that the code automaticly would be changed if we didn't do it
within two weeks.

> However as yet nobody's really identified any generic security policy
> requirements for CVS that cannot be implemented with filesystem ACLs.

We have touched some few things the file system can't give with the current
CVS implementation:

- ACLs on branches
- ACLs specified down to individual files, not only directories
- ACLs on branch and tag creation and redefining.

In addition, there might be possible to put separate permissions on adding,
removing, committing, checking out, reading history, etc, etc.  Some of
those things can be done through the file system, but not all of them, and
you have to know CVS pretty well to deal with it.

I can hardly argue that any of those things are important.  Not for me, at
least.  I can't tell for others.

> For one a versioning system is, by definition, providing a detailed
> audit trail that can very very very easily be used to enforce
> accountability

As long as people have write permissions to the repository, they can easily
forge any audit trail.  That is a real worry, I think - and it can only be
solved by some tripwire system.

> of course that the level of trust between the members of a group working
> on a given module in a given repository is necessarily much higher than
> it would ever be in the example of a group of users using a database
> application.

Truely.  As said before, people are supposed to trust each other, and also
there shouldn't be possible to do any irreversal harm through CVS (though
anyone with write-permission to the repository can do any harm they like).

> > Still - security through obscurity /is/ better than no security at all!
> 
> Nope, not true at all.  Security by obscurity leads to a false sense of
> security, and as pretty well every rational sane person in North America
> should realise by now there's really nothing worse than a false sense of
> security!

If you're implying that terrorist acts in America happened because of a
"false sense of security", I could hardly disagree more.  In the real world,
there is nothing like "real security".  People that are determinated enough
to perform terrorist actions, and have enough resources, will always find
new ways to do terrorist actions.  I don't think disallowing people to carry
nail cutting devices on the airlines will help anything at all - the
crashing airplane theme is probably used up, next time (and I'm quite sure
there will be a next time) we'll see something completely different, and far
more devastinge.  Still, no reason to worry, the risk for beeing killed by
traffic accident or heart trouble is many factors higher than the risk of
beeing killed by terrorist action.

I can see situations where "a false sense of security" combined with
"security through obscurity" would be very, very bad.  Take the Internet
banking example above, for instance, the customer might be completely
clueless about the technical details but very aware that all his money has
disappeared.  The bank can insist that the customer himself did wire all his
money to some Switz bank account, as they're cocksure their system is
perfectly secure.

Still, it seems like a lot of banks actually can afford to lean on "security
by obscurity".

--
Unemployed hacker
Will program for food!
http://ccs.custompublish.com/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]