Re: CVS access control

[Tobias Brox]

[Greg A. Woods - Fri at 08:53:50PM -0400]
> (so far as I know no bank issues personal browser security certificates
> and configures their secure servers to only accept connections from
> browsers presenting valid, signed, certificates....  that would at least
> get rid of perhaps half the concerns I have about client host security)

Well, one of my banks does.  But what's the point, when the backdoor is wide
open?  The "security certificates" are generated at the spot if the client
doesn't have them, as long as the client can provide a four digit pin code.

At least that bank sends the PIN-code to the customer in a secure way; the
customer has to identify him/herself at the post office.  Most banks here
thinks the ordinary mail service is secure enough - it's as insecure as it
can get.

Besides, I don't think the certificates provides protection against
backdoors at the client computer (like trojan horses ... wasn't there
something called "back orify" some years ago?  Nobody learns!  They block
the port number back orify uses, and think they're safe.  It would be like
killing Bin Laden, and think _that_ is the ultimate security against
terrorism).  I think that any person having root access at the client
computer, and enough skills and insight, can take over the control of the
browser, and thus the session.

The only secure banking system I've seen used such a device for creating
one-time codes, but it wouldn't rely on a session, it would require the user
to enter the code for _each_ transaction that was to be performed.  That's
quite secure.  But then again, what's the point, when the calculator and the
PIN is sent by regular mail service?  Anybody snooping by my the mailbox
every day before I get to it might easily steal both the generator and the
PIN.

> > I can hardly argue that any of those things are important.  Not for me, at
> > least.  I can't tell for others.
> 
> I'm not sure ACLs on branches are meaningful at all to anyone, at least
> not in the bigger picture.

Well, at least I've been in a situation where it could be meaningful - we
wanted a lot of independent developers to have the right to commit to an
experimental branch, while the stable branch only should be touched by some
highly trusted person.  Thus we could recommend anyone to use the stable
branch.

> I suspect anyone who thinks otherwise is
> either not aware of the way security works in and with CVS, or is under
> some dreadful misimpression about what kind of protection ACLs on
> branches would afford in the real world.

As said, when I say that 'ACLs could be implemented in CVS', it has to be
done in a proper way ... and it has to be done impossible to mess directly
with the repository.  Since I'm not going to implement ACLs in CVS, it's
totally irrelevant for me if CVS would need a bottom-up rewrite or not to
meet the conditions :-)

> > As long as people have write permissions to the repository, they can easily
> > forge any audit trail.  That is a real worry, I think - and it can only be
> > solved by some tripwire system.
> 
> There are many viable techniques for secure logging of an audit trail.

Logging to a printer or an external host would do.  Eventually, a modern
file system could permit append-only access to log files.

> In the real world if you look at the facts here you'll find that the
> people who carried out those terrorist actions were, in all but maybe
> one case, able to do so to completion specifically because those
> immediately around them had a false sense of their own security.

I disagree.  I think the security control at the ground could have been
removed, and I'm quite sure it wouldn't matter a bit for what would happen
in the sky in this exact case.  People - maybe except for you - wouldn't be
a bit more alert.  Paranoid people are always paranoid, relaxed people are
always relaxed, regardless of how strict the security is.  And after all, I
support the relaxed people quite a bit (mind you, only as long as they have
no responsibility for the security!) - the risk for beeing on board the
hijacked plane is microscopic compared to the risk of beeing involved in a
traffic accident, getting a heart stroke, etc - always beeing nervous and
paranoid is certainly only going to increase the risk of a heart stroke, at
least.

Or tighten up the security control, and something different would happen.
Anthrax in the subway.  A tactical nuclear bomb under the WTC.  The plane
hijacked by old-fashionated fist-fights instead of weapons.  Poison in the
drinking water.  There are a myriad of ways to do terrorism, and it's
impossible to protect against all cases.

However insecure the security control is, I think it does stop some
lunatics.  It doesn't stop those that /plan/ to do terrorist actions, but it
/does/ stop a person that one disfortune evening just tilts over and decides
to hijack an airplane.

In Norway, we never had security controls on domestic airplanes.  Well,
except on the biggest and newest airports.  I don't know if anything changed
after 11th of september - but I'd daresay so.  We've had at least one
incident of a lunatic hijacking an airplane, and I don't think he would have
done it if there had been any security control.

Anyway, IMHO, tighting up the security controls and killing bin Laden won't
help a bit to reduce world terrorism.  It might reduce the risks a little
bit, but not much.

> When people get on airplanes with the assumption that all their fellow
> passengers are disarmed and harmless (and after all they went through
> the very same metal detectors and were inspected by the very same
> security officers at the airport)

I'd never assume the people around me to be armed bandits, even if there
were no security control at all.  I think most people wouldn't.  Maybe only
after the 11th of September incidents - and then again, people will be
shocked and surprised when they suddently will be attacked by bandits some
completely other place.

> If you had ever ridden with me on a commercial airline you'd undoubtably
> have heard me make remarks about just how false the sense of security
> everyone was under in many of the circumstances we passed through, and
> how easily it would be to subvert any of the actual security there was.

I think it is quite impossible to have complete security.  Explosives can be
hidden just anywhere, I think.

> > Still, it seems like a lot of banks actually can afford to lean on "security
> > by obscurity".
> 
> That's because they're in a position of authority and their customers do
> not question their declarations (often because of course they do not
> have the expertise to do so, especially in technologically related matters).

I've never seen or heard about anyone that has lost money from their bank
accounts, I can only guess that the bank would give the customer his money
back to avoid any negative publisity.

We have a new law in Norway - I think it states that if the customer claims
anything is wrong, the customer should first get his money back, and then it
will be up to the bank to take the case to the court and prove that the
customer is wrong.  I'm not sure if I would trust the law, but anyway I'm
amuzed that I almost never have heard about bad stories.

If all my money disappeared, and I didn't get them back, I would make
nothing less than a small thunderstorm.  If nothing would help at all, I'd
probably tilt over and kill the person responsible for the security.

--
Unemployed hacker
Will program for food!
http://ccs.custompublish.com/