Fly secure, don’t drink

We all know how these days you are not allowed to bring any significant amount of liquid on the airplane. Every liquid you do bring with you is taken away swiftly. Bruce Schneier has an excellent blog entry on the usefulness of this rule.

In Belgium we have this television series “Airport Security” about the day to day aspects of security on our national airport (“Brussels Airport”). It actually is a spin off from similar US and UK shows. In one of the episodes they showed how they confiscated liquids. After a couple of days all the bottles amounted to a fairly large pile. All nicely tucked away in plastic storage boxes. Their content is however not safely disposed of (after all, they can contain potential explosives), they give it all away to a charity organization who then distributes it to people in need.

Although I support the fact they want to help charity organizations, it seems a bit illogical to me. One minute they threat these bottles as potentially dangerous, confiscating them without exception, the next minute their risk level seems to drop to zero and they are handed out to charity.

As Bruce states in the above mentioned article:

If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it’s not dangerous, then stop trying to keep it off airplanes.

So either we stop confiscating those liquids or we start handling them as really having a risk level: threat anyone who tries to bring it on as potentially dangerous and safely dispose of the liquids. Our current procedures are just stupid, annoying, incomplete and don’t add value to protecting those who travel by air.

DropBox + PasswordSafe = Good ??

When I read Joel Spolsky’s post about DropBox combined with PasswordSafe I kind of fell from my chair. Apparently he was looking for a way to store his passwords in a safe way and be able to access them on any computer he uses. This is what he proposes:

  1. Install DropBox on all your computers. DropBox is a simple tool to synchronize a local folder to an Internet site. It will synchronize the contents of the folders so you’ll have your data, latest version, available on all your computers. Note that DropBox is secured by a username and password send over the Internet (using SSL of course, at least I hope it is).
  2. Install PasswordSafe on all your computers. This is an application that creates a database to store and generate passwords. It uses a password to encrypt the database. The usual algorithm is deployed: the password is used as input for a derived key function which is then used to encrypt the database. PasswordSafe can generate long and random passwords for you and helps you enter them into login forms.
  3. Store the PasswordSafe database in the DropBox folder.
  4. Password Nirvana!

Joel even suggests to go all the way and change your bank account password to something really hard (like 16 random characters) and store it in PasswordSafe.

Joel seems to think that this is really all safe since he is using long and hard passwords on websites (those 16 random PasswordSafe passwords) and the “derived key function” used to encrypt his PasswordSafe database. Well Joel … I don’t think so. This is a clear case of “security dependencies” or “weakest link” …

Let’s see what I need to do to get at Joel’s really long and hard to guess 16 character password for his bank account.

  1. I need to hack into his PasswordSafe database. In order to do that, I first need access to it …
  2. I need to hack into his DropBox account. Doing that requires the usual hacking of a username and password on a Internet site. With the DNS flaws and various Phishing techniques that is not even that hard these days. Not to mention that this is worth the effort, after all it will give me access to his bank account!
  3. Now that I have his PasswordSafe database, I need to decrypt it. I don’t care a single moment about the strength of the encryption algoritm nor do I care about the valueness of the derived key function. The only thing I need to know is his password. Since I have the database offline and there is no mechanism whatsoever to discourage a brute force guessing attack, this is purely a matter of time. The attack is even undetectable since it happens on my local infrastructure.

Whatever cool encryption and synchronisation mechanism this setup uses, eventually the entire security depends on just a username and password. Since he wanted to protect a password login in the first place (his bank account) I wonder what he actually achieved in terms of increased security.

My first idea would be to say that he has replaced password based security with … password based security. The only that has changed are some extra, but minor, hurdles to hack it all. But I would even go further. He ends up less secure since cracking his PasswordSafe opens up all his accounts for me, not just his bank account, and the overall attack is less detectable then if I would hack his bank account directly.

Addendum … this article discusses the same topic but using different examples:

To use an analogy (certain to spike my readership, even if only till the US political process spits out some other triviality to focus on) you can put lipstick on a pig, but all you’ll end up with is a cosmetically enhanced porker.

Similarly, you can plaster on the lipstick of strong authentication like Tammy Faye but, if you are smearing it onto a pig of an identity proofing procesess, you’ll still be eating the bacon of low assurance …