Igor's Computer Blog

The three A's of security are  authorization, authentication and auditing.  While these A's apply to computer security they are also present in most transactions.  For example, lets look at what happens when Igor wants to buy a coffee: When Igor goes to buy a coffee with his credit card, the cashier starts by asking Igor for a Picture ID, then the cashier swipes Igor's card (which dials the head office to make sure there is money), finally a receipt is printed. After all that Igor gets his coffee. Let's look at the 3 A's in this transaction Authentication - Prove the entity is the entity -  Ensure Igor is Igor by making sure the picture on his drivers license matches his face. Authorization - Prove an entity is allowed to do something - Ensure Igor is allowed to place a 5$ charge on his credit card. Auditing - Record what has occurred - Write down that a coffee was purchased. Authentication, Authorization, and Auditing in the coffee shop

I was excited to see Facebook (FB) supporting login via OpenID (FB is a relying party), and I decided to give it a whirl. Here I list the results of my investigation, which describe the odd use of OpenID, as well as my wire level analysis which I hope you find informative. This post doesn't go into details of how OpenID works, if you're interested in that leave a comment and I'll put up such a post. FB uses OpenID in a way I've never seen before. In the "common" OpenID login model, you get a login page that shows you some sort of login via OpenID buttons. When you go to the FB login page there is no login via OpenID.   This confused me, but I went to my FB account settings and linked my google account to my FB account. (Attempts to link my MyOpenID account failed with a strange error message).  After some trial and error I realized that if I was logged into my Google account and went to the FB page than I'd automatically get logged into FB. Debugging...

This post is targeted at people that understand ip addresses, default gateways and have heard of arp, but don’t play with them often enough to realize how vulnerable we are to man in the middle attacks. Back in the old days, the network hardware was often a hub, and hubs had a property that all the computers connected to a hub could see each others traffic.  This meant if my computer and tori-the-lori were on the same hub tori-the-lori could see all my network traffic. This sound like weak security.  In time the world invented switches, and now almost all networking uses switches. Switches differ from hubs in that computers only see traffic that is sent to them, not everyone's traffic.  This difference should fix the weak security right?   Well, as with most things security the devil is in the details. Lets dig in. When a computer wants to talk another computer by IP address, it needs to find the MAC address for the IP address, this is done via ARP.  Le...

Henry Ford takes 3 of his division presidents out for diner to decide which of them will be the new CEO. As soon as they start eating Mr. Ford chooses Bob, the man to his left, to be the new CEO. The other division presidents are shocked, and ask why Bob was picked over them. Henry replies: Bob was the only man who tasted his food before salting it. Unlike at dinner time, hashes should always be salted. A hash is a one way function that maps something, for this discussion a password, to a short string. The point of a hash is if you're given the hash, you can't figure out the password. A common scenario for hashes is checking users passwords. Instead of storing a users passowrd and checking the passwords match, you store the hash of the users password, and make sure a hash of the users password matches the hash you stored. The advantage of storing the hash is if someone steals your disk they don't get your user's passwords. There's a rub though. What happens if t...