| d2r diego's weblog |
the key is real, the lock is notIn the movie The Game part of the plot centered around a (simulated) "attack" on a rich man (Michael Douglas) that forced him to give up the passwords and such to his bank accounts by intercepting the cell phone call and answering it, pretending to be the bank. The basic idea (make the environment familiar enough so that you slip up) has been used online in various forms, but so far any attentive person could figure out that things were not what they seemed. Don has posted about an unsettling idea he calls visual spoofing. Essentially he's exposing the biggest threat of all: that we end up becoming used to our UIs to the point where we trust them implicitly. I brought up the movie at the beginning because Don's example is the online version of it (granted, there are details missing, but does anyone doubt that you could conceivably spoof the entire UI? And what then?). Douglas' character in the movie has no way at all of telling that the person on the other side is not working for the bank, but for the enemy. His keys (passwords) are intact, but the lock (bank) isn't real. The problem is, at the core, that we tend to guard (and trust, or distrust), the key, while we implicitly trust the lock. Why? The lock is "solid, real". It's "unmovable": built into the door, or ever present in your computer screen. The key can be duplicated without you knowing. The lock cannot. Except that the locks we've got on computer screens are themselves open to duplication. Seamless. What Don is talking about is applied to browsers. But given the ever-present infestation of all kinds of worms and viruses, how long will it take until this applies to other software too? Software that monitors keypresses has been around for a long time, but digging through all the information generated is a mess (nevermind having to get it out of the machine). This is targeted, targeted at the user, not at the system. You could simulate accounting software. Social engineering meets cracking, or phreaking (no, I don't like to use the term hacking, which I prefer to use in its original context). Thanks, Don, for the eye-opener. Looking forward for the follow up where he'll talk about an idea he had to minimize this problem. I don't want to start thinking about possible solutions yet: I haven't even finished absorbing all the implications. Categories: soft.devPosted by diego on February 12 2004 at 8:59 PM Comments (please see the comments & trackback policy).
When I was a kid me and a friend wrote something that looked just like the login screen for our school PCs and then collected the admin password from the teacher. That's why Ctrl-Alt-Delete is the login combo for Windows NT/2K/XP Posted by: Andrew Ducker at February 12, 2004 10:11 PMThis is nothing new. Several solutions have been suggested (e.g. on the EROS mailing list, among others). Again the capability-security people are way ahead of everyone else, and still people refuse to listen. Instead they throw their money to companies like MS or their efforts on projects like linux, both of which seem to be just too ignorant (or too stupid) to fix their insecure system designs. Sigh... :-( Posted by: Marcus Sundman at February 13, 2004 2:18 AMDiego, I'm surprised you didn't tie this back in to The Matrix sequels :) Posted by: Matthew Walker at February 13, 2004 2:30 AMMarcus, could you provides some links so I can look them up? I have no idea what EROS mailing list is. Also, if is not too inconvenient, could you describe some of the solutions they came up with? Posted by: Don Park at February 13, 2004 9:38 AMIMHO the best introduction to capability-based http://www.erights.org/e/satan/ Posted by: Patroklos Argyroudis at February 13, 2004 10:51 AMDon, EROS is a secure operating system, and is the second link when searching for "EROS" on google: http://www.eros-os.org/ (although the website is horribly outdated). Some links to info about capability-based security can be found on the EROS website, on the erights site mentioned by Patroklos, and on http://www.cap-lore.com/CapTheory/ You might also want to check out various papers by Jonathan Shapiro and/or Mark Miller. Posted by: Marcus Sundman at February 14, 2004 1:54 AMMarcus, EROS arch mailing list is apparently down so I couldn't search the archive. What puzzles me is that there is no relationship between capability systems and visual spoofing, yet you seem to think there is. That is, unless EROS is somehow detecting and preventing display of certain pixel patterns from appearing on screen without appropriate capabilities. If so, that's just too expensive to be implemented on today's computers IMHO. Posted by: Don Park at February 14, 2004 2:10 AM> EROS arch mailing list is apparently down It's working fine for me. > there is no relationship between capability True, except that both have very much to do with security. Anyway, the issue of visual spoofing has come up in various security context, e.g. on the eros-arch mailing list some months ago. (I'm sorry if I jumped too eagerly on the opportunity to once again preach the gospel of capability based security.) Posted by: Marcus Sundman at February 14, 2004 2:36 AMMatthew: Indeed. And now that you mention it... :-) Marcus: I agree with Don here. This is an inherent problem of computer systems. It is ultimately not "fixable" since it has to do with our understanding of reality. There are ways of minimizing it (I've had a couple of ideas since I posted this) but we can't make it go away. Humans are sensory creatures, and we trust our senses implicitly (in this case, sight primarily). Mhm. That was too philosophical. Will leave the rest of my musings on this topic for a post and avoid going way off topic. :) Posted by: Diego at February 14, 2004 5:53 PM> detecting and preventing display of certain Oops. I somehow missed this completely, but it's a question that certainly deserves an answer. The system doesn't have to prevent programs for displaying any particular pixel patterns. Here are two obvious solutions to your problem: a) The system can prevent a program from getting to know what the window it tries to fake looks like. E.g., the user might assign the icon that will be shown on the titlebar of the windows of a particular program. Then the system simply has to prevent other programs from reading the graphics memory (and the file where the icon is stored, of course). b) The system can reserve an area of the screen for its own exclusive use, and in that area it can then e.g. display the name of the program whose window is currently active (i.e. the program receiving user input). Posted by: Marcus Sundman at February 14, 2004 9:02 PMMarcus, (a) is basically a variation of the phishmarking idea. I am sure Diego is onto it too for discovering the nature of the problem was the main problem. Posted by: Don Park at February 15, 2004 6:18 AMCopyright © Diego Doval 2002-2007.
|