Good afternoon, Anthony,
On Wed, 20 Oct 2010, Anthony Carrico wrote:
On 10/20/2010 01:41 PM, William Stearns wrote:
On Wed, 20 Oct 2010, Anthony Carrico wrote:
"The YubiKey Wiki
The portal for software and services supporting the YubiKey
Everyone is welcome to read, but to avoid misuse only YubiKey users
can edit. <research papers> <Order your YubiKey>"
Agreed, this is wiki spam. I've reverted that entry and one other
I've found so far. Just like open source software, the wiki is only as
good as what people put into it. *grin*
Yes, but my point is a little deeper than that. It says, "Everyone is
(and went completely over my head :-)
welcome to read, but to avoid misuse only YubiKey users can edit." So,
the implication is that spammers went out of their way to buy a Yubikey.
I have to ask myself, would spammers actually buy a device in order to
advertise a paper mill on a security system's wiki? It seems somewhat
unlikely. If not the yubikey system--as implemented on Yubico's own
site--doesn't actually appear to be working.
I see the argument; web and email spam historically focused on
low-hanging fruit, and buying a hardware token to do such a mundane task
would seem unlikely.
My own counterargument is Blitzmail, the mail front-end used at
Dartmouth, and almost nowhere else. The time needed for a spammer of any
kind to learn how to get people's blitz passwords would seem useless as
that knowledge wouldn't be usable anywhere else. But we _have_ seen
deliberate attempts to get passwords, and attempts that take a form that
would _only_ apply to blitmail.
If I were a spammer and wanted to spend some time trying to break
into systems, I probably would consider buying security tokens from
multiple vendors and hiring people to identify vulnerabilities. Even one
success there might give me access to thousands of people instantly.
Maybe it is more subtle than that (/me strokes stubble). Maybe anyone
CAN edit, and in an effort to discredit the system, Mallory added the
"only YubiKey users can edit" and stuck in some fake spam to lead me
down the garden path!
*evil grin* I can see our plan to catch you in an infinite loop is
going along nicely. *evil grin*
You raise an interesting question, and I can't speak to whether
there is some deeper issue. Knowing what little I do about the hardware
device, I would tend to bet on an issue on the wiki server itself before
I'd bet on issues with the hardware or protocol.
If there's an actual issue with their management of the wiki
server or service, or one simply doesn't trust authentication to an
external company, the natural, intended, and completely encouraged
transition is to running one's own in-house authentication server. That,
too, is open-source and provided by Yubico. While they'll gladly be the
authentication back end for devices as shipped, all of the tools are there
for one to run one's own in-house server.
Cheers,
- Bill
---------------------------------------------------------------------------
"Forgiveness is the fragrance that the violet sheds on the heel
that has crushed it."
-- Mark Twain
--------------------------------------------------------------------------
William Stearns ([email protected], tools and papers: www.stearns.org)
Top-notch computer security training at www.sans.org , www.giac.net
--------------------------------------------------------------------------
